Tax Search Ads Deliver ScreenConnect Malware Using Huawei Driver to Disable EDR

Summary

A large-scale malvertising campaign active since January 2026 targets U.S. users searching for tax documents via Google Ads, redirecting them to fake sites that deliver ConnectWise ScreenConnect installers. The payload deploys HwAudKiller, a BYOVD EDR killer leveraging a legitimate signed Huawei audio driver (HWAuidoOs2Ec.sys) to disable endpoint protection from Microsoft Defender, Kaspersky, and SentinelOne. Over 60 malicious ScreenConnect sessions were identified; the threat actor uses dual cloaking services (Adspect and JustCloakIt) to evade security scanners and exhibits behavior consistent with ransomware staging or initial access broker activity.

Full text

Tax Search Ads Deliver ScreenConnect Malware Using Huawei Driver to Disable EDR Ravie LakshmananMar 24, 2026Endpoint Security / Social Engineering A large-scale malvertising campaign active since January 2026 has been observed targeting U.S.-based individuals searching for tax-related documents to serve rogue installers for ConnectWise ScreenConnect that drop a tool named HwAudKiller to blind security programs using the bring your own vulnerable driver (BYOVD) technique. "The campaign abuses Google Ads to serve rogue ScreenConnect (ConnectWise Control) installers, ultimately delivering a BYOVD EDR killer that drops a kernel driver to blind security tools before further compromise," Huntress researcher Anna Pham said in a report published last week. The cybersecurity vendor said it identified over 60 instances of malicious ScreenConnect sessions tied to the campaign. The attack chain stands out for a couple of reasons. Unlike recent campaigns highlighted by Microsoft that leverage tax-themed lures, the newly flagged activity employs commercial cloaking services to avoid detection by security scanners and abuses a previously undocumented Huawei audio driver to disarm security solutions. The exact objectives of the campaign are currently not clear; however, in at one instance, the threat actor is said to have leveraged the access to deploy the endpoint detection and response (EDR) killer and then dump credentials from the Local Security Authority Subsystem Service (LSASS) process memory, as well as use tools like NetExec for network reconnaissance and lateral movement. These tactics, per Huntress, align with pre-ransomware or initial access broker behavior, suggesting that the threat actor is looking to either deploy ransomware or monetize the access by selling it to other criminal actors. The attack begins when users search for terms like "W2 tax form" or "W-9 Tax Forms 2026" on search engines like Google, tricking them into clicking on sponsored search results that direct users to bogus sites like "bringetax[.]com/humu/" to trigger the delivery of the ScreenConnect installer. What's more, the landing page is protected by a PHP-based Traffic Distribution System (TDS) powered by Adspect, a commercial cloaking service, to ensure that a benign page is served to security scanners and ad review systems, while only real victims see the actual payload. This is achieved by generating a fingerprint of the site visitor and sending it to the Adspect backend, which then determines the appropriate response. In addition to Adspect, the landing page's "index.php" features a second cloaking layer powered by JustCloakIt (JCI) on the server side. "The two cloaking services are stacked in the same index.php—JCI's server-side filtering runs first, while Adspect provides client-side JavaScript fingerprinting as a second layer," Pham explained. The web pages lead to the distribution of ScreenConnect installers, which are then used to deploy multiple trial instances on the compromised host. The threat actor has also been found to drop additional Remote Monitoring and Management (RMM) tools like FleetDeck Agent for redundancy and ensuring persistent remote access. The ScreenConnect session is leveraged to drop a multi-stage crypter that acts as a conduit for an EDR killer codenamed HwAudKiller that uses the BYOVD technique to terminate processes associated with Microsoft Defender, Kaspersky, and SentinelOne. The vulnerable driver used in the attack is "HWAuidoOs2Ec.sys," a legitimate, signed Huawei kernel driver designed for laptop audio hardware. "The driver terminates the target process from kernel mode, bypassing any usermode protections that security products rely on. Because the driver is legitimately signed by Huawei, Windows loads it without complaint despite Driver Signature Enforcement (DSE)," Huntress noted. The crypter, for its part, attempts to evade detection by allocating 2GB of memory and filling it with zeros, and then freeing it, effectively causing antivirus engines and emulators to fail due to high resource allocation. It's currently not known who is behind the campaign, but an exposed open directory in the threat actor-controlled infrastructure has revealed a fake Chrome update page containing JavaScript code with Russian-language comments. This alludes to a Russian-speaking developer in possession of a social engineering toolkit for malware distribution. "This campaign illustrates how commodity tooling has lowered the barrier for sophisticated attacks," Pham said. "The threat actor didn't need custom exploits or nation-state capabilities, they combined commercially available cloaking services (Adspect and JustCloakIt), free-tier ScreenConnect instances, an off-the-shelf crypter, and a signed Huawei driver with an exploitable weakness to build an end-to-end kill chain that goes from a Google search to kernel-mode EDR termination." "A consistent pattern across compromised hosts was the rapid stacking of multiple remote access tools. After the initial rogue ScreenConnect relay was established, the threat actor deployed additional trial ScreenConnect instances on the same endpoint, sometimes two or three within hours, and backup RMM tools like FleetDeck." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cybersecurity, endpoint security, Google Ads, Malware, network security, ransomware, social engineering, Threat Intelligence, windows security Trending News FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS Popular Resources Webinar - Identify Key Attack Paths to Your Crown Jewels with CSMA Guide - Discover How to Validate AI Risks With Adversarial Testing Get the 2026 ASV Report to Benchmark Top Validation Tools Fix Security Noise by Focusing Only on Validated Exposures

Indicators of Compromise

• domain — bringetax[.]com
• malware — HwAudKiller
• malware — ScreenConnect
• malware — FleetDeck Agent