Malvertising Campaign Targets Tax-Related Searches with Sophisticated Techniques
A significant malvertising campaign has been actively targeting individuals in the United States since January 2026. This malicious initiative specifically preys on users searching for tax-related documents, aiming to install rogue software for ConnectWise ScreenConnect. This software then deploys a tool known as HwAudKiller, which employs the bring your own vulnerable driver (BYOVD) technique to disable security programs.
According to Huntress researcher Anna Pham, the campaign intricately manipulates Google Ads to present deceptive ScreenConnect installers. These installations ultimately lead to the delivery of a BYOVD endpoint detection and response (EDR) killer. The report published by Huntress highlights how these attacks utilize a kernel driver to evade detection from security tools, allowing further compromises to take place without hindrance.
Huntress has identified over 60 malicious ScreenConnect sessions connected to this campaign, illustrating a growing trend in cyberattacks that leverage user search behaviors. This particular attack sequence is notable for two primary reasons. Unlike recent campaigns, which Microsoft has previously flagged for employing tax-themed falsehoods, this new activity employs advanced cloaking services to elude detection by security scanners. Additionally, it exploits a previously undocumented Huawei audio driver, effectively disarming security systems in the process.
While the precise objectives of this campaign remain uncertain, there have been instances where the threat actor, once gaining access, deployed the EDR killer. In these reports, the attacker also dumped credentials from the Local Security Authority Subsystem Service (LSASS) process memory. Moreover, tools like NetExec have been utilized for network reconnaissance, indicating potential lateral movement within networks.
These tactics are consistent with behaviors typically exhibited by pre-ransomware actors or initial access brokers. This suggests that the threat actor may be looking to either deploy ransomware or monetize their access by selling it to other cybercriminals.
The attack process was initiated when users searched for commonly needed forms, such as “W2 tax form” or “W-9 Tax Forms 2026." In these scenarios, unsuspecting users were misled into clicking on sponsored search results that redirected them to counterfeit websites like “bringetax[.]com/humu/.” These sites served as a gateway for the malicious ScreenConnect software installation.
The landing pages are fortified by a PHP-based Traffic Distribution System (TDS) operated by Adspect, a commercial cloaking service. This system was designed to ensure that benign pages were served to security scanners and advertisement review systems while only genuine victims were exposed to the actual malicious payload.
To achieve this, a digital fingerprint of the site visitor is generated and sent to the Adspect back-end, which determines the appropriate response based on the visitor’s profile. In addition to Adspect, the malicious landing page’s “index.php” also integrates a second cloaking layer powered by JustCloakIt (JCI), providing further obfuscation.
As users unwittingly navigate these traps, they are funneled toward the distribution of ScreenConnect installers, resulting in the deployment of multiple invasive instances of the software on compromised hosts. The threat actor is even observed placing additional Remote Monitoring and Management (RMM) tools, such as FleetDeck Agent, to maintain persistent access.
Once established through the rogue ScreenConnect session, a multi-stage crypter is introduced into the system. This crypter acts as a conduit for HwAudKiller, effectively leveraging the BYOVD technique to disrupt protective processes associated with reputable security solutions. The driver utilized in this exploit is “HWAuidoOs2Ec.sys,” a legitimate, signed Huawei kernel driver intended for laptop audio functionalities.
Notably, this Huawei driver is able to terminate security processes from kernel mode, bypassing the protections that most security products rely upon. Since the driver is legitimately signed by Huawei, Windows permits its use without raising any alarms, even in the face of stringent Driver Signature Enforcement (DSE) protocols.
The crypter further attempts to avoid detection by consuming substantial resources; it allocates 2GB of memory and fills it with zeros before freeing it again, a tactic designed to overwhelm antivirus engines and emulators.
The identity of those behind this insidious campaign remains unknown. However, a breach in the threat actor’s controlled environment unveiled a fictitious Chrome update page embedded with JavaScript code that contained comments in Russian. This detail heavily implies a Russian-speaking developer employing a social engineering toolkit aimed at malware distribution.
“This campaign exemplifies how readily available commercial tools have lowered the threshold for sophisticated cyberattacks,” remarked Anna Pham. “The perpetrators didn’t require specialized exploits or state-sponsored capabilities; they simply combined available cloaking services, free-tier ScreenConnect instances, standard crypters, and a legitimate Huawei driver with an exploit to create a seamless kill chain that spans from a Google search to kernel-mode EDR termination.”
Patterns among compromised hosts indicate a strategic stacking of multiple remote access tools. After establishing the initial rogue ScreenConnect relay, the threat actor often deployed additional trial ScreenConnect instances on the same endpoint, sometimes even layering two or three within a matter of hours. This inclusive strategy, along with the redundant backup RMM tools like FleetDeck, highlights the calculated nature of this extensive malvertising campaign.