Malicious Google Ads Exploit Tax Season, Paving the Way for EDR Bypass
In a rising trend within the cybercriminal landscape, tax-themed Google Ads are being exploited for malicious purposes. Huntress has identified a massive malvertising campaign that uses these ads to deliver a sophisticated endpoint security bypass tool known as BYOVD-based EDR killer. This initiative involves a combination of rogue deployments of remote management tools like ScreenConnect and a vulnerable Huawei audio driver designed to incapacitate endpoint defense mechanisms before attackers engage in hands-on keyboard activities.
Leveraging Tax Season Lure
Sponsored Google Ads have capitalized on the heightened interest in tax forms around this time of year. Queries such as "W2 tax form" and "W-9 Tax Forms 2026" direct users to convincingly crafted landing pages designed to mimic IRS compliance. This tactic targets employees, contractors, and small businesses, compelling them to click through to seemingly genuine resources.
Huntress’s monitoring processes revealed over 60 unauthorized ScreenConnect sessions linked to this malvertising activity, establishing that these Google Ads serve as the primary method for initial access, overshadowing traditional vectors such as email phishing or exploit kits.
Upon interaction with the ads, users are redirected through domains, including anukitax[.]com and bringetax[.]com. These sites ultimately distribute a ScreenConnect MSI file hosted on 4sync, which sets up remote access under default configurations, indicating unauthorized use of remote management software.
Continued Malvertising Operations
Further investigation by Huntress suggests that this malvertising operation has been active since at least January 2026, specifically targeting U.S. users who are urgently searching for IRS tax forms during the tax filing season. Additionally, the analysis revealed the existence of a fraudulent Chrome update page hosted on shared infrastructure. This indicates that the attackers are adept at employing multiple lure templates and rapidly switching between tax-related themes and browser update appeals.
Advanced Cloaking Techniques
To evade detection and prolong the life of their malicious ads, the operators employed dual commercial cloaking services—Adspect on the client side and JustCloakIt on the server side. When victims click on the download link, JavaScript scripts initiate a process that fetches their geographical location and IP address, subsequently notifying the operator’s Telegram bot with real-time data about each successful download.
Adspect’s advanced Traffic Distribution System fingerprints users based on various system attributes, thus enabling the attackers to determine whether to serve a malicious payload, redirect users to benign websites, or proxy content. This meticulous approach allows Google reviewers and security scanners to consistently see harmless content while real users unknowingly navigate toward malware.
The second layer uses JustCloakIt, which enhances cloaking techniques by only allowing monetizable traffic to reach the malicious infrastructure. This layered defense creates a cat-and-mouse dynamic, complicating the efforts of platforms attempting to detect and remove the malicious elements of the campaign.
Disabling Endpoint Defenses
Once the initial ScreenConnect session is established, attackers deploy “crypteds.exe,” which is identified as a multi-stage crypter dubbed "FatMalloc." This tool employs a unique methodology that effectively bypasses many low-resource sandboxes and antivirus emulators by exploiting intricate memory allocation strategies.
Subsequently, a piece of malicious code known as “HwAudKiller” is executed. This tool utilizes a legitimate Huawei audio driver, which has been disregarded by Microsoft’s driver block list, to engage in an alarming form of attacker activity. The driver provides arbitrary kernel-level access, permitting it to terminate critical security processes including Windows Defender and various antivirus solutions.
The Implications of Driver Abuse
Huntress has marked this incident as the first known case where the signed Huawei audio driver was exploited as a BYOVD weapon. It allows attackers to undermine user-mode tamper protection and EDR solutions, which are typically designed to protect systems and users from such intrusions.
Once the attackers have compromised visibility, they swiftly pivot to lateral movement within networks, engaging in credential theft and extensive network scanning. Their actions align with the methodologies commonly adopted by initial access brokers and pre-ransomware groups.
Recommendations for Protection
In light of these evolving threats, organizations must bolster their security measures. Key detection points should focus on unauthorized ScreenConnect instances using default parameters. Security teams are encouraged to regularly monitor system temp folders for unknown executables that may indicate unauthorized access or installation.
User awareness campaigns are equally vital; employees must be educated about the risks associated with sponsored search results, even those appearing to be official documents. Emphasizing that downloads should only occur from verified sources can serve as a buffer against these sophisticated threats.
Organizations should also take proactive measures like RMM allowlisting, approving only trusted domains and tools while treating any unapproved ScreenConnect relay as a potential compromise requiring immediate attention.
Ultimately, as cybercriminals become more inventive, continuous vigilance, situational awareness, and a proactive approach to cybersecurity will be essential for organizations aiming to protect their sensitive data and maintain operational integrity during the alluring yet perilous tax season.