TL;DR—

  • Researchers discovered a year-long campaign targeting HR recruiters and hiring managers with fake job applications hosted on legitimate cloud storage.
    • The “CV” / resume download is an ISO-formatted file that infects Windows devices, then steals sensitive organizational data and cryptocurrency credentials after disabling security controls.
  • This lure is especially effective for hiring managers and HR personnel who accept resumes outside of normal application pipelines—and thus outside of protected application tracking system (ATS) environments.
  • Employees can avoid falling for this and similar phishing attacks by:
    • Always redirecting applicants to the official hiring pages, and
    • Not accepting “resumes” or “CVs” in ISO/IMG/VHD/LNK formats.
  • Check out “One ish, two ish: How to prevent modern phishing” for more about malvertising lures and other social engineering attacks.

“EDR-killing” resumes steal sensitive information for over a year

Security researchers at Aryaka released a March 2026 report outlining a new social engineering attack targeting human resources personnel and anyone else openly hiring for new positions. The researchers believe the initial access vector was a spearphishing email, designed to be opened by the victim and requesting the download of an infected “CV” or “resume” hosted on a known-good cloud storage service like Dropbox. Once downloaded, the file unfurls into an initially normal-looking document collection, encouraging victims to interact. However, the documents contain hidden PowerShell scripts that, among other things, ultimately install an endpoint detection and response (EDR) “killer” malware called “BlackSanta”—explicitly designed to avoid and shut down security controls. (BlackSanta’s use likely explains why this year-long campaign was undiscovered until this month.) Attackers seem to have two motives:

  1. Immediate financial incentives, detecting and sending out cryptocurrency wallet credentials; and
  2. Collecting sensitive organizational data, either for future attacks, resale on the dark web, or possible extortion.

Considering the longevity of this campaign, security teams should review the backmatter of Aryaka’s official research report, reviewing the provided indicators of compromise (IOCs) to ensure no current infections.

How employees interact with infected files

Unfortunately, the Aryaka researchers don’t have any images or known-bad spearphishing emails to offer. (The attack has gone on for at least a year, so the first message is probably long gone for many infected organizations.) However, researchers were able to find the initially downloaded malicious package, which looks like this: