Tax Search Ads Deliver ScreenConnect Malware Using Huawei Driver to Disable EDR
A major malware campaign from January 2026 was seen targeting US citizens seeking tax-related documents to provide to rogue installers of the ConnectWise ScreenConnect hacking tool named. HwAudKiller blinding safety systems using the vulnerable driving method (BYOVD).
“This campaign exploits Google Ads to offer ScreenConnect (ConnectWise Control) installers, ultimately delivering a BYOVD EDR killer that dumps the kernel driver on blind security tools before backing off,” said Huntress researcher Anna Pham in a report published last week.
The cybersecurity vendor said it identified more than 60 instances of malicious ScreenConnect sessions related to the campaign. The attack chain stands out for several reasons. Unlike recent campaigns highlighted by Microsoft using tax-themed lures, the newly flagged operation uses cloaking services to avoid detection by security scanners and exploits a previously undocumented Huawei audio driver to issue security solutions.
The exact objectives of the campaign are currently unclear; However, at one point, the threat actor is said to have used the power of access to release an endpoint discovery and response (EDR) killer and dump information from the Local Security Authority Subsystem Service (LSASS) process memory, as well as using tools like NetExec to get more information about the network and lateral movements.
These tactics, per Huntress, correspond to pre-ransomware or initial access seller behavior, suggesting that the threat actor is looking to use ransomware or monetize the access by selling it to other criminal actors.
The attack begins when users search for terms like “W2 tax form” or “W-9 Tax Forms 2026” on search engines like Google, tricking them into clicking sponsored search results that direct users to fake sites like “bringetax[.]com/humu/” to start the installation of the ScreenConnect installer.
In addition, the landing page is protected by a PHP-based Traffic Distribution System (TDS) powered by Adspect, a commercial clothing service, to ensure that the correct page is served by security scanners and ad review systems, while only real victims see the real payment.
This is achieved by generating a fingerprint of the site visitor and sending it to the Aspect backend, which then determines the appropriate response. In addition to Adspect, the landing page’s “index.php” includes a second cloaking layer powered by JustCloakIt (JCI) on the server side.
“The two blocking services are placed in the same index.php – JCI’s server-side filtering comes first, while Adspect provides client-side JavaScript fingerprinting as a second layer,” explains Pham.
The web pages lead to the distribution of ScreenConnect installers, which are then used to administer multiple tests to the vulnerable host. The threat actor was also found to drop additional Remote Monitoring and Management (RMM) tools such as FleetDeck Agent for reuse and to ensure continuous remote access.
The ScreenConnect session is powered by a multi-stage crypter that acts as a pipeline for the EDR killer code HwAudKiller that uses the BYOVD method to kill processes related to Microsoft Defender, Kaspersky, and SentinelOne. The vulnerable driver used in this attack is “HWAuidoOs2Ec.sys,” an official, signed Huawei kernel driver designed for laptop audio hardware.
“The driver terminates the target process in kernel mode, bypassing any user-mode protections that security products rely on. Because the driver is officially signed by Huawei, Windows loads it without complaint despite Driver Signature Enforcement (DSE),” notes Huntress.
The crypter, on the other hand, tries to avoid detection by giving 2GB of memory and filling it with zero, then freeing it, effectively causing antivirus engines and emulators due to the high allocation of resources.
It is not yet known who is behind the campaign, but an open directory exposed on an actor-controlled infrastructure revealed a fake Chrome update page containing JavaScript code with Russian-language comments. This refers to a Russian-speaking developer with a social engineering toolkit to spread the malware.
“This campaign shows how the use of commodity tools has lowered the barrier to sophisticated attacks,” said Pham. “The threat actor didn’t need any custom exploits or state-of-the-art capabilities, they included commercially available cloaking tools (Adspect and JustCloakIt), free ScreenConnect instances, an off-the-shelf crypter, and a signed Huawei driver with exploitable vulnerabilities to create a kill chain from Google to kernel-mode.”
“A consistent pattern across all vulnerable hosts was the rapid deployment of multiple remote access tools. After a robust ScreenConnect relay was established, the threat actor deployed ScreenConnect test instances on the same endpoint, sometimes two or three within hours, along with a copy of RMM tools such as FleetDeck.”
