A large-scale malvertising campaign active since January 2026 has been observed targeting individuals in the U.S. searching for tax-related documents, delivering rogue installers for ConnectWise ScreenConnect that deploy a tool named HwAudKiller to disable security programs using the bring your own vulnerable driver (BYOVD) technique. According to Huntress researcher Anna Pham, the campaign abuses Google Ads to serve rogue ScreenConnect installers, ultimately delivering a kernel-mode EDR killer that blinds security tools before further compromise. The campaign has been tied to over 60 identified malicious ScreenConnect sessions, highlighting the sophistication of threat actors leveraging commercial cloaking services and a previously undocumented Huawei audio driver to evade detection.
The attack chain begins when users search for terms like “W2 tax form” or “W-9 Tax Forms 2026” on search engines such as Google. Sponsored search results redirect users to fraudulent sites like “bringetax[.]com/humu/”, which trigger the installation of ScreenConnect. The landing pages are protected by multiple cloaking layers, including a PHP-based Traffic Distribution System powered by Adspect, and JustCloakIt server-side filtering, ensuring that only real victims receive the malicious payload while security scanners encounter a benign version of the page. The attacker uses these layers to fingerprint visitors and evade detection by ad review systems and antivirus engines, further complicating defensive efforts.
Once installed, the ScreenConnect session is used to deploy multiple trial instances and additional Remote Monitoring and Management tools such as FleetDeck Agent for redundancy and persistent remote access. The campaign delivers a multi-stage crypter that acts as a conduit for HwAudKiller, which leverages the BYOVD technique to terminate processes associated with Microsoft Defender, Kaspersky, and SentinelOne. The attack exploits a signed Huawei kernel driver, “HWAuidoOs2Ec.sys,” designed for laptop audio hardware, allowing the malware to terminate security processes from kernel mode without triggering Windows Driver Signature Enforcement. The crypter also employs memory allocation and deallocation tactics to cause antivirus engines and emulators to fail, increasing the likelihood of successful compromise.
Although the identities behind the campaign remain unknown, exposed open directories reveal a fake Chrome update page containing JavaScript code with Russian-language comments, suggesting a Russian-speaking developer using commodity tools for malware distribution. The campaign demonstrates that sophisticated attacks can now be executed without custom exploits or nation-state resources, combining commercial cloaking services, free-tier ScreenConnect instances, off-the-shelf crypters, and signed vulnerable drivers to create a full kill chain from a Google search to kernel-mode security bypass. Huntress notes that compromised hosts often experienced rapid stacking of multiple remote access tools, including additional ScreenConnect instances and backup RMM tools like FleetDeck, illustrating the persistence and redundancy strategies used by attackers to maintain control over infected endpoints.
This campaign highlights the ongoing risks posed by malvertising and socially engineered attacks exploiting legitimate infrastructure to compromise endpoint security. Users searching for tax-related information should exercise caution, and organizations are encouraged to monitor for unusual ScreenConnect activity or unauthorized driver installations. The combination of BYOVD techniques and commercial cloaking services underscores the evolving tactics cyber actors use to evade detection and maintain access to targeted systems.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
