Kernel in the Crosshairs: The BlackSanta Threat Campaign Targeting Recruitment Workflows

This report describes the 'BlackSanta' campaign that targets recruitment workflows by delivering resume-themed ISO files which launch malicious LNK shortcuts to execute obfuscated PowerShell, extract steganographic payloads, sideload a malicious DLL, and establish encrypted C2; a standout component is a BYOVD-based kernel module that uses signed vulnerable drivers to disable antivirus and EDR protections, enabling credential harvesting and stealthy data exfiltration.