A big-scale malvertising marketing campaign lively since January 2026 has been noticed focusing on U.S.-based people trying to find tax-related paperwork to serve rogue installers for ConnectWise ScreenConnect that drop a device named HwAudKiller to blind safety applications utilizing the deliver your personal susceptible driver (BYOVD) method.
“The campaign abuses Google Ads to serve rogue ScreenConnect (ConnectWise Control) installers, ultimately delivering a BYOVD EDR killer that drops a kernel driver to blind security tools before further compromise,” Huntress researcher Anna Pham stated in a report printed final week.
The cybersecurity vendor stated it recognized over 60 situations of malicious ScreenConnect periods tied to the marketing campaign. The assault chain stands out for a few causes. Not like latest campaigns highlighted by Microsoft that leverage tax-themed lures, the newly flagged exercise employs industrial cloaking companies to keep away from detection by safety scanners and abuses a beforehand undocumented Huawei audio driver to disarm safety options.
The precise goals of the marketing campaign are at the moment not clear; nevertheless, in at one occasion, the risk actor is claimed to have leveraged the entry to deploy the endpoint detection and response (EDR) killer after which dump credentials from the Native Safety Authority Subsystem Service (LSASS) course of reminiscence, in addition to use instruments like NetExec for community reconnaissance and lateral motion.
These ways, per Huntress, align with pre-ransomware or preliminary entry dealer conduct, suggesting that the risk actor is trying to both deploy ransomware or monetize the entry by promoting it to different prison actors.
The assault begins when customers seek for phrases like “W2 tax form” or “W-9 Tax Forms 2026” on serps like Google, tricking them into clicking on sponsored search outcomes that direct customers to bogus websites like “bringetax[.]com/humu/” to set off the supply of the ScreenConnect installer.
What’s extra, the touchdown web page is protected by a PHP-based Site visitors Distribution System (TDS) powered by Adspect, a industrial cloaking service, to make sure that a benign web page is served to safety scanners and advert assessment methods, whereas solely actual victims see the precise payload.
That is achieved by producing a fingerprint of the positioning customer and sending it to the Adspect backend, which then determines the suitable response. Along with Adspect, the touchdown web page’s “index.php” includes a second cloaking layer powered by JustCloakIt (JCI) on the server facet.
“The two cloaking services are stacked in the same index.php—JCI’s server-side filtering runs first, while Adspect provides client-side JavaScript fingerprinting as a second layer,” Pham defined.
The online pages result in the distribution of ScreenConnect installers, that are then used to deploy a number of trial situations on the compromised host. The risk actor has additionally been discovered to drop extra Distant Monitoring and Administration (RMM) instruments like FleetDeck Agent for redundancy and making certain persistent distant entry.
The ScreenConnect session is leveraged to drop a multi-stage crypter that acts as a conduit for an EDR killer codenamed HwAudKiller that makes use of the BYOVD method to terminate processes related to Microsoft Defender, Kaspersky, and SentinelOne. The susceptible driver used within the assault is “HWAuidoOs2Ec.sys,” a authentic, signed Huawei kernel driver designed for laptop computer audio {hardware}.
“The driver terminates the target process from kernel mode, bypassing any usermode protections that security products rely on. Because the driver is legitimately signed by Huawei, Windows loads it without complaint despite Driver Signature Enforcement (DSE),” Huntress famous.
The crypter, for its half, makes an attempt to evade detection by allocating 2GB of reminiscence and filling it with zeros, after which releasing it, successfully inflicting antivirus engines and emulators to fail as a result of excessive useful resource allocation.
It is at the moment not recognized who’s behind the marketing campaign, however an uncovered open listing within the risk actor-controlled infrastructure has revealed a faux Chrome replace web page containing JavaScript code with Russian-language feedback. This alludes to a Russian-speaking developer in possession of a social engineering toolkit for malware distribution.
“This campaign illustrates how commodity tooling has lowered the barrier for sophisticated attacks,” Pham stated. “The threat actor didn’t need custom exploits or nation-state capabilities, they combined commercially available cloaking services (Adspect and JustCloakIt), free-tier ScreenConnect instances, an off-the-shelf crypter, and a signed Huawei driver with an exploitable weakness to build an end-to-end kill chain that goes from a Google search to kernel-mode EDR termination.”
“A consistent pattern across compromised hosts was the rapid stacking of multiple remote access tools. After the initial rogue ScreenConnect relay was established, the threat actor deployed additional trial ScreenConnect instances on the same endpoint, sometimes two or three within hours, and backup RMM tools like FleetDeck.”
