TL;DR—
- Researchers discovered a year-long campaign targeting HR recruiters and hiring managers with fake job applications hosted on legitimate cloud storage.
- The “CV” / resume download is an ISO-formatted file that infects Windows devices, then steals sensitive organizational data and cryptocurrency credentials after disabling security controls.
- This lure is especially effective for hiring managers and HR personnel who accept resumes outside of normal application pipelines—and thus outside of protected application tracking system (ATS) environments.
- Employees can avoid falling for this and similar phishing attacks by:
- Always redirecting applicants to the official hiring pages, and
- Not accepting “resumes” or “CVs” in ISO/IMG/VHD/LNK formats.
- Check out “One ish, two ish: How to prevent modern phishing” for more about malvertising lures and other social engineering attacks.
“EDR-killing” resumes steal sensitive information for over a year
Security researchers at Aryaka released a March 2026 report outlining a new social engineering attack targeting human resources personnel and anyone else openly hiring for new positions.
The researchers believe the initial access vector was a spearphishing email, designed to be opened by the victim and requesting the download of an infected “CV” or “resume” hosted on a known-good cloud storage service like Dropbox.
Once downloaded, the file unfurls into an initially normal-looking document collection, encouraging victims to interact.
However, the documents contain hidden PowerShell scripts that, among other things, ultimately install an endpoint detection and response (EDR) “killer” malware called “BlackSanta”—explicitly designed to avoid and shut down security controls.
(BlackSanta’s use likely explains why this year-long campaign was undiscovered until this month.)
Attackers seem to have two motives:
- Immediate financial incentives, detecting and sending out cryptocurrency wallet credentials; and
- Collecting sensitive organizational data, either for future attacks, resale on the dark web, or possible extortion.
Considering the longevity of this campaign, security teams should review the backmatter of Aryaka’s official research report, reviewing the provided indicators of compromise (IOCs) to ensure no current infections.
How employees interact with infected files
Unfortunately, the Aryaka researchers don’t have any images or known-bad spearphishing emails to offer. (The attack has gone on for at least a year, so the first message is probably long gone for many infected organizations.)
However, researchers were able to find the initially downloaded malicious package, which looks like this:
- PowerShell presence: Right off the bat, the presence of a PowerShell script in an applicant’s files is extremely suspicious… for security personnel.
- However, the preview of the “script.ps1” file starts with “Windows” under Type, which may make the file appear safe or credible for employees.
- Mismatched file types: The file name “extensions” don’t match the type, so employees quickly opening files such as “Celine_Pesant[.]pdf”, which is actually an .LNK shortcut, not a PDF.
- The browser icon, rather than a PDF image, might have helped the employee if they’d stopped when confronted with the mismatch between “normal” previews and not.
Employees most at-risk of falling for similar spearphishing campaigns
The types of employees most at-risk to falling for this specific attack (and ones like it) include:
- Human resources employees who routinely receive files from unknown senders as part of normal work
- Hiring managers receiving resumes or work examples through networked channels, trying to avoid annoying hiring processes
- Individuals who would trust unsolicited cloud-hosted file links OR would open odd file types on work devices instead of through the proper channels (e.g., an ATS or a developer sandbox or virtual machine / VM).
- You can identify these people using a phishing simulation that has the same assumed spearphishing lures as the “BlackSanta” campaign, then teach them why those clicks are risky.
How hiring managers and HR employees can avoid malicious resumes and CVs
- Redirect out-of-band job applicants to the official careers page, so you can open applicant materials in more safe environments like the ATS.
- Remind hiring managers using their local networks for team recruitment that applicants should apply through the official ATS pipeline, instead of sharing materials to LinkedIn profiles or corporate email accounts.
- Pause and look twice. If you see something that doesn’t quite make sense—like a script file or a file icon that doesn’t match the file type—then be extremely careful about clicking.
- Report to security if someone clicks one of these odd files or applicant packages.
To learn more about malvertising attacks, check out Fable Security’s free ebook, “One ish, two ish: How to prevent modern phishing”—no email required!
And, download this briefing to share with relevant employee cohorts before you see out-of-band “resumes” that try to take down your EDR. For existing customers, you can already find the briefing in your Fable catalog.
