A big-scale malvertising marketing campaign lively since January 2026 has been noticed concentrating on U.S.-based people looking for tax-related paperwork to serve rogue installers for ConnectWise ScreenConnect that drop a software named HwAudKiller to blind safety applications utilizing the convey your personal susceptible driver (BYOVD) method.
“The marketing campaign abuses Google Adverts to serve rogue ScreenConnect (ConnectWise Management) installers, in the end delivering a BYOVD EDR killer that drops a kernel driver to blind safety instruments earlier than additional compromise,” Huntress researcher Anna Pham stated in a report revealed final week.
The cybersecurity vendor stated it recognized over 60 situations of malicious ScreenConnect periods tied to the marketing campaign. The assault chain stands out for a few causes. Not like current campaigns highlighted by Microsoft that leverage tax-themed lures, the newly flagged exercise employs business cloaking companies to keep away from detection by safety scanners and abuses a beforehand undocumented Huawei audio driver to disarm safety options.
The precise targets of the marketing campaign are presently not clear; nonetheless, in at one occasion, the menace actor is alleged to have leveraged the entry to deploy the endpoint detection and response (EDR) killer after which dump credentials from the Native Safety Authority Subsystem Service (LSASS) course of reminiscence, in addition to use instruments like NetExec for community reconnaissance and lateral motion.
These ways, per Huntress, align with pre-ransomware or preliminary entry dealer habits, suggesting that the menace actor is trying to both deploy ransomware or monetize the entry by promoting it to different legal actors.
The assault begins when customers seek for phrases like “W2 tax type” or “W-9 Tax Varieties 2026” on engines like google like Google, tricking them into clicking on sponsored search outcomes that direct customers to bogus websites like “bringetax[.]com/humu/” to set off the supply of the ScreenConnect installer.
What’s extra, the touchdown web page is protected by a PHP-based Visitors Distribution System (TDS) powered by Adspect, a business cloaking service, to make sure that a benign web page is served to safety scanners and advert overview programs, whereas solely actual victims see the precise payload.
That is achieved by producing a fingerprint of the positioning customer and sending it to the Adspect backend, which then determines the suitable response. Along with Adspect, the touchdown web page’s “index.php” encompasses a second cloaking layer powered by JustCloakIt (JCI) on the server facet.
“The 2 cloaking companies are stacked in the identical index.php—JCI’s server-side filtering runs first, whereas Adspect gives client-side JavaScript fingerprinting as a second layer,” Pham defined.
The online pages result in the distribution of ScreenConnect installers, that are then used to deploy a number of trial situations on the compromised host. The menace actor has additionally been discovered to drop extra Distant Monitoring and Administration (RMM) instruments like FleetDeck Agent for redundancy and guaranteeing persistent distant entry.
The ScreenConnect session is leveraged to drop a multi-stage crypter that acts as a conduit for an EDR killer codenamed HwAudKiller that makes use of the BYOVD method to terminate processes related to Microsoft Defender, Kaspersky, and SentinelOne. The susceptible driver used within the assault is “HWAuidoOs2Ec.sys,” a legit, signed Huawei kernel driver designed for laptop computer audio {hardware}.
“The motive force terminates the goal course of from kernel mode, bypassing any usermode protections that safety merchandise depend on. As a result of the driving force is legitimately signed by Huawei, Home windows masses it with out criticism regardless of Driver Signature Enforcement (DSE),” Huntress famous.
The crypter, for its half, makes an attempt to evade detection by allocating 2GB of reminiscence and filling it with zeros, after which liberating it, successfully inflicting antivirus engines and emulators to fail as a result of excessive useful resource allocation.
It is presently not identified who’s behind the marketing campaign, however an uncovered open listing within the menace actor-controlled infrastructure has revealed a faux Chrome replace web page containing JavaScript code with Russian-language feedback. This alludes to a Russian-speaking developer in possession of a social engineering toolkit for malware distribution.
“This marketing campaign illustrates how commodity tooling has lowered the barrier for classy assaults,” Pham stated. “The menace actor did not want customized exploits or nation-state capabilities, they mixed commercially out there cloaking companies (Adspect and JustCloakIt), free-tier ScreenConnect situations, an off-the-shelf crypter, and a signed Huawei driver with an exploitable weak spot to construct an end-to-end kill chain that goes from a Google search to kernel-mode EDR termination.”
“A constant sample throughout compromised hosts was the fast stacking of a number of distant entry instruments. After the preliminary rogue ScreenConnect relay was established, the menace actor deployed extra trial ScreenConnect situations on the identical endpoint, generally two or three inside hours, and backup RMM instruments like FleetDeck.”
