A large-scale malvertising campaign, active since January 2026, has been observed targeting individuals located in the United States searching for tax-related documents and serving fraudulent ConnectWise ScreenConnect installers. The installer drops a tool named HwAudKiller that uses Bring Your Vulnerable Driver (BYOVD) techniques to blind security programs.
“This campaign exploits Google ads to serve a rogue ScreenConnect (ConnectWise Control) installer, ultimately delivering a BYOVD EDR killer that drops kernel drivers and blinds security tools before further compromise,” Huntres researcher Anna Pham said in a report published last week.
The cybersecurity vendor said it has identified more than 60 malicious ScreenConnect sessions related to this campaign. The attack chain stands out for several reasons. Unlike recent campaigns highlighted by Microsoft that utilize tax-themed decoys, the newly reported activity utilizes commercial cloaking services to evade detection by security scanners and exploits previously undocumented Huawei audio drivers to disarm security solutions.
The exact purpose of the campaign is not clear at this time. However, in some instances, attackers are said to have used that access to deploy endpoint detection and response (EDR) killers, dump credentials from Local Security Authority Subsystem Service (LSASS) process memory, and use tools such as NetExec for network reconnaissance and lateral movement.
These tactics are consistent with pre-ransomware behavior and the behavior of early access brokers, Huntress said, and suggest threat actors are looking to monetize access by deploying ransomware or selling it to other criminals.
The attack begins when a user searches for terms like “W2 tax form” or “W-9 tax form 2026” on a search engine like Google, tricking the user into clicking on a sponsored search result that redirects them to a fake site like “bringetax.”[.]com/humu/” to trigger the ScreenConnect installer delivery.
In addition, the landing page is secured by a PHP-based traffic distribution system (TDS) powered by Adspect, a commercial cloaking service, which provides a secure page to security scanners and ad review systems, while ensuring that the actual payload is only visible to the actual victim.
This is accomplished by generating a fingerprint of your site visitor and sending it to the Adspect backend, which determines the appropriate response. In addition to Adspect, the landing page ‘index.php’ has a second cloaking layer powered by JustCloakIt (JCI) on the server side.
“The two cloaking services are stacked on the same index.php. JCI’s server-side filtering is performed first, and Adspect provides client-side JavaScript fingerprinting as a second layer,” Pham explained.
This web page leads to the distribution of the ScreenConnect installer, which is used to deploy multiple trial instances on compromised hosts. The threat actor has also been found to be dropping additional remote monitoring and management (RMM) tools, such as FleetDeck Agent, to ensure redundancy and persistent remote access.
ScreenConnect sessions are utilized to drop a multi-stage crypter that acts as a conduit for an EDR killer (codenamed HwAudKiller) that uses BYOVD techniques to terminate processes related to Microsoft Defender, Kaspersky, and SentinelOne. The vulnerable driver used in the attack is ‘HWAuidoOs2Ec.sys’. This is a genuine, signed Huawei kernel driver designed for your laptop’s audio hardware.
“The driver terminates the target process from kernel mode, bypassing user-mode protections that security products rely on. Because the driver is legally signed by Huawei, Windows loads the driver without issue despite Driver Signature Enforcement (DSE),” Huntress noted.
The crypter attempts to avoid detection by allocating 2 GB of memory, filling it with zeros, and then freeing it. This effectively causes antivirus engines and emulators to fail due to heavy resource allocation.
It is currently unknown who is behind this campaign, but a public open directory within threat actor-controlled infrastructure revealed a fake Chrome update page containing JavaScript code with comments in Russian. This implies that Russian-speaking developers have a social engineering toolkit for malware distribution.
“This campaign shows how commodity tools have lowered the barrier for sophisticated attacks,” Pham said. “Rather than requiring custom exploits or nation-state capabilities, the threat actors combined off-the-shelf cloaking services (Adspect and JustCloakIt), free-tier ScreenConnect instances, off-the-shelf cryptors, and signed Huawei drivers with exploitable weaknesses to build an end-to-end kill chain from Google search to kernel-mode EDR exit.”
“A consistent pattern across compromised hosts was the rapid accumulation of multiple remote access tools. After the initial rogue ScreenConnect relay was established, the attackers deployed additional trial ScreenConnect instances on the same endpoint, sometimes two or three within hours, and deployed backup RMM tools such as FleetDeck.”
Source link
