A sophisticated malvertising campaign has been actively targeting U.S. individuals searching for tax-related information since January 2026. The attackers are leveraging Google Ads to distribute rogue installers for ConnectWise ScreenConnect, which then deploy a tool designed to disable endpoint detection and response (EDR) solutions using a "Bring Your Own Vulnerable Driver" (BYOVD) technique. This campaign highlights the evolving tactics of cybercriminals who exploit common user searches to compromise systems.

Key Takeaways

• Malicious Google Ads disguised as tax forms are used to lure victims.

• The campaign delivers ConnectWise ScreenConnect installers that drop an EDR killer.

• A legitimate Huawei driver is exploited to disable security software.

• Commercial cloaking services are employed to evade detection.

• The ultimate goal appears to be initial access for ransomware or sale to other actors.

The Attack Chain

The attack begins when unsuspecting users search for tax forms like "W-2 tax form" or "W-9 Tax Forms 2026" on search engines. They are then directed to malicious websites through sponsored search results. These landing pages are protected by commercial cloaking services, such as Adspect and JustCloakIt, which display benign content to security scanners while serving the actual malware payload to targeted users.

Payload Delivery and EDR Disablement

The compromised users are tricked into downloading rogue ScreenConnect installers. These installers are used to establish multiple trial instances of ScreenConnect on the victim's machine, ensuring persistent remote access. In addition to ScreenConnect, other Remote Monitoring and Management (RMM) tools like FleetDeck Agent may also be deployed.

The ScreenConnect session then facilitates the deployment of a multi-stage crypter, identified as FatMalloc. This crypter employs resource exhaustion techniques, such as allocating 2GB of memory, to overwhelm antivirus engines and emulators, thereby bypassing detection. Following this, an EDR killer tool, codenamed HwAudKiller, is executed.

HwAudKiller utilizes a legitimate, signed Huawei audio driver, "HWAuidoOs2Ec.sys," to disable security solutions. By loading this driver as a kernel service, it can terminate processes associated with EDR products like Microsoft Defender, Kaspersky, and SentinelOne from kernel mode, bypassing user-mode protections.

Threat Actor Objectives and Attribution

While the exact objectives are still under investigation, observed activities include dumping credentials from the LSASS process memory and using tools like NetExec for network reconnaissance and lateral movement. These actions are consistent with pre-ransomware preparations or initial access broker behavior, suggesting the threat actor intends to deploy ransomware or sell the compromised access to other criminal groups.

Evidence pointing towards the threat actor's origin includes Russian-language comments found in JavaScript code on a related fake Chrome update page. This suggests a Russian-speaking developer is behind the campaign, utilizing readily available commercial tools and a signed Huawei driver with an exploitable weakness to create a complete attack chain.

Sources

• Tax Search Ads Deliver ScreenConnect Malware Using Huawei Driver to Disable EDR, The Hacker News.

• Malvertising Campaign Uses Tax Ads To Deploy BYOVD EDR Killer, Huntress Says, Cyber Press.