Threat actors are still having success tricking human resources staff into opening malware-infected phishing emails.
The latest example is detailed by researchers at Aryaka, who this week described a campaign by an unnamed threat actor who is distributing resumés containing a malicious ISO file to HR departments. It’s delivered through recruitment channels, and hosted on what an employee, or an email gateway’s filters, would see as trusted cloud infrastructure.
When the victim mounts the ISO, which is an archive of an optical disc such as a DVD, and opens its contents, a malicious shortcut (.lnk) is executed, launching obfuscated PowerShell commands that extract hidden payloads embedded within a steganographic image. A malicious DLL is then sideloaded using a legitimate signed application, allowing the attacker’s code to run under the guise of trusted software. The goal is to harvest data from the infected computer.
The malware’s most alarming feature, says Aryaka, is an internal module dubbed BlackSanta which shuts down endpoint detection and response (EDR) agents that would detect this attack. It deploys a Bring-Your-Own Vulnerable Driver (BYOVD) technique that loads legitimate but exploitable kernel drivers, gaining low-level system access, then systematically turns off security tools.
While it’s a sophisticated attack, what CSOs might consider more important is preventing the attack from the start through HR employee security awareness training to help them spot phishing lures.
Among the priorities for that training: Emphasizing that files ending in .iso can execute malware. A resumé or job application file should end in .docx, .pdf or .txt.
[Related content: Fake resumés have updated backdoor]
“Your HR team should be among your most trained and protected employees,” says Roger Grimes, CISO advisor at awareness training provider KnowBe4. “HR departments are strongly in the crosshairs of all sorts of scammers. If they aren’t trying to get their malware installed or steal logon credentials, they are trying to get fake employees into the recruitment process.”
In fact, he added, a scam that makes it past the HR team may make it be seen as more trustworthy as it moves to other departments.
HR staff should be trained to only accept normal resumé submission document types, such as .pdf or .docx, Grimes said, and to not to click on URLs inside either unless necessary.
Some organizations decrease the risk of malware being sent through fake resumés by asking for all submissions to go to their HR hiring portal, which only accepts text inputs to supplied web forms, he added.
At the very least, all HR staff members have to understand that they are at high risk of receiving scams, he said. They must be educated about common scams targeting HR departments, coached when they perform high-risk actions, and given simulated phishing testing that mimics phishing that commonly targets HR employees.
Not just malware
Fake job applications don’t just come with malware. At a time when many jobs are filled by employing online interviews, they’re a way nation-states can infiltrate sensitive organizations like defense or government contractors. Last month, a Ukrainian man was sentenced by a US judge to 60 months in prison for stealing the identities of Americans, which were then used by North Koreans to fraudulently get work at US firms.
In 2025, Amazon said that over a 17 month period it blocked over 1,800 job applications suspected of coming from North Korean agents.
Lures impersonating HR
According to researchers at Cofense, most HR-related phishing messages are sent in the second half of the year, although specific message themes will change based on current events (for example: ‘Because of COVID, revenue has fallen, so we have to lay off staff’). One theme that regularly works: Termination messages. Employees won’t ignore an email with a termination subject line, and the messages will appear legitimate, particularly if they spoof the company’s email address.
Other common themes, Confense says, include notices of compensation adjustments, company benefits or the ability to enroll in benefits, handbook and policy updates, employee assessments and surveys, and income tax information.
[Related content: Phishers know everyone is afraid of HR]
“Impersonating HR provides many benefits to threat actors,” the Cofense report notes. “Tasks from HR are typically mandatory, so HR emails carry authority. Legitimate HR tasks can also have strict deadlines, which a threat actor can use to impose urgency. Finally, regular HR tasks are expected by employees. Sent at the right time, employees may not recognize an email as phishing and automatically click on any link to resolve the HR issue.”
AI makes detection harder
Christopher Kayser, head of Canadian consulting firm Cybercrime Analytics and author of a book on social engineering, said that thanks to generative AI technology, it’s becoming increasingly difficult to recognize malicious communications. And because, for years, the job of HR staff has been to receive responses to ads for positions, they tend to open documents without question. On top of that, many employees trust that IT is doing everything possible to ensure that any communications that make it to devices have been scanned and are safe.
For their part, he added, bad actors use the common triggers for any type of phishing campaign: Playing on fear, guilt, helpfulness, obedience, and urgency in subject lines and messages.
[Related content: 5 ways to spot phishing emails]
Defensive strategies
“It is virtually impossible to instill sophisticated levels of knowledge for every user of technology to be able to correctly identify malicious communications,” Kayser told CSO. “But what can be taught is to make people realize there is never a communication that we receive that we should feel compelled to respond to immediately, until we have verified that what we are being asked or told to do is valid.”
All employees should be told that, if skeptical about an email or text, they should immediately ask their IT department to review it, he said.
Another defensive strategy, Kayser suggested, is having all incoming communications for HR redirected to a specific folder on the corporate email system where full checks for viruses and corrupted files are run. Some argue these files may contain personally identifiable information, which shouldn’t be seen by anyone outside HR; that, Kayser said, is a valid concern. But this step shouldn’t require IT to inspect file content, just look for malware and suspicious activity.