BlackSanta ‘EDR-killer’ malware targets HR departments

March 11, 2026

A specialized “EDR-killer” malware module known as BlackSanta has been discovered operated by a Russian-speaking threat actor that primarily targets human resource and recruitment personnel.

In a recent blog post, Aryaka researchers explained that once BlackSanta accesses a system — typically via an email that's sent to a victim — the malware initiates a staged infection chain that silently compromises the system, giving it complete control.

This lets BlackSanta perform extensive system reconnaissance, which lets it collect sensitive information about the operating system, user accounts, and host configurations. The malware also dynamically decrypts data at runtime, which complicates static detection and forensic analysis for defenders.

“HR teams are a prime target for these attackers because they regularly receive resumes and job applications from unknown senders, making malicious files disguised as recruitment materials especially effective,” said Mika Aalto, co-founder and CEO at Hoxhunt. “Our data shows recruitment-themed phishing lures are surging, and HR professionals are doubly attractive targets because they hold sensitive employee data and are trusted internal communicators."

Aalto added that campaigns like BlackSanta highlight that social engineering remains the easiest way into organizations, so security teams need to invest as much in preparing people as they do in technology.

“The most effective defense is training employees on the exact types of attacks they are likely to face, turning real-world phishing attempts into learning moments that build lasting cyber resilience,” said Aalto.

John Bambenek, president at Bambenek Consulting, said there’s been a clear uptick in attacks towards HR departments and HR systems. Bambenek said many of these attack result in the redirection of direct deposit/payroll into the attackers hands.

“The trend of HR job sites to use forms instead of resumes is, in part, a response to this threat,” said Bambenek. “It’s harder to include malicious JS in a web form whereas PDFs can include that.”