Sophisticated Malvertising Campaign Exploits Tax Season Searches, Deploys Kernel-Mode EDR Killer via Vulnerable Huawei Driver.

Cahyo Dewo,

A sophisticated malvertising campaign, active since January 2026, has been observed meticulously targeting U.S.-based individuals searching for tax-related documents. This elaborate scheme leverages Google Ads to serve rogue installers for ConnectWise ScreenConnect, a legitimate remote monitoring and management (RMM) tool, ultimately deploying a potent endpoint detection and response (EDR) killer named HwAudKiller. This tool exploits a "bring your own vulnerable driver" (BYOVD) technique to blind security programs, paving the way for further malicious activities, including credential theft and lateral network movement.

The campaign’s modus operandi, meticulously detailed by Huntress researcher Anna Pham in a recent report, highlights a growing trend of cybercriminals combining commodity tooling with advanced evasion tactics. Huntress, a leading cybersecurity vendor, confirmed identifying over 60 distinct instances of malicious ScreenConnect sessions linked to this ongoing operation, underscoring its broad reach and persistent nature. Unlike many recent tax-themed phishing campaigns that rely on direct email lures, this activity distinguishes itself by weaponizing search engine results and employing advanced commercial cloaking services to evade detection, alongside abusing a previously undocumented vulnerability in a legitimate Huawei audio driver to neutralize security software.

The Anatomy of Deception: Malvertising During Tax Season

The attack chain commences with a deceptively simple yet highly effective tactic: malvertising. Cybercriminals exploit the high search volume around tax season by purchasing sponsored ad slots on major search engines like Google. When users search for common tax-related terms such as "W2 tax form" or "W-9 Tax Forms 2026," they are presented with what appear to be legitimate links to tax documentation. However, these sponsored results, designed to mimic official or reputable sources, redirect unsuspecting users to malicious websites.

One such identified bogus site, "bringetax[.]com/humu/", serves as the initial gateway for the attack. The timing of this campaign, coinciding with the peak of tax filing season in the United States, is no coincidence. Millions of individuals and businesses are actively seeking tax forms and information, creating a fertile ground for cybercriminals to exploit urgency and reduce user scrutiny. This strategic targeting significantly increases the likelihood of victims clicking on seemingly relevant but ultimately malicious links, demonstrating a calculated understanding of human psychology and seasonal online behavior.

Advanced Evasion: Commercial Cloaking Services in Action

Tax Search Ads Deliver ScreenConnect Malware Using Huawei Driver to Disable EDR

A critical component distinguishing this campaign from less sophisticated attacks is its robust use of commercial cloaking services. The malicious landing pages are protected by a two-layered PHP-based Traffic Distribution System (TDS), powered by Adspect and JustCloakIt (JCI). These services are designed to present a benign, innocuous page to security scanners, automated bots, and ad review systems, while delivering the actual malicious payload only to genuine human victims.

The process involves generating a unique fingerprint of the site visitor, which is then transmitted to the Adspect backend. Based on this fingerprint, Adspect determines whether the visitor is a legitimate target or a security scanner, tailoring its response accordingly. This client-side JavaScript fingerprinting forms the second layer of defense. Prior to this, JCI’s server-side filtering runs first, analyzing various parameters such as IP address, user-agent, geographic location, and other environmental factors to further vet the visitor. This dual-layered cloaking mechanism makes it exceedingly difficult for automated security tools and even manual analysis to detect the true nature of the malicious sites, allowing the campaign to persist on ad platforms for extended periods. The ability to dynamically serve different content based on visitor attributes is a hallmark of advanced cyber operations, showcasing the threat actor’s intent to remain undetected for as long as possible.

Weaponizing Legitimate Tools: ConnectWise ScreenConnect as an Initial Foothold

Upon successfully bypassing the cloaking layers, the victim is prompted to download what appears to be a legitimate tax document or installer. In reality, this initiates the download of a rogue ConnectWise ScreenConnect installer. ScreenConnect (now ConnectWise Control) is a legitimate and widely used remote desktop access and management software. Its broad adoption in IT environments makes it a potent tool for adversaries, as its presence on a network might not immediately raise red flags.

The threat actor demonstrates a clear understanding of persistence and redundancy. Once the rogue ScreenConnect installer is executed, it establishes multiple trial instances on the compromised host. This "stacking" of remote access tools is a deliberate strategy to ensure continuous access to the victim’s system, even if one connection or instance is detected and terminated. Huntress observed instances where two or three trial ScreenConnect instances were deployed within hours, alongside backup RMM tools like FleetDeck Agent. This multi-tool approach underscores the actor’s commitment to maintaining a robust foothold, indicating a high value placed on the compromised systems, likely for further monetization.

The Ultimate Disabler: HwAudKiller and the BYOVD Technique

The pivotal stage of this attack involves the deployment of HwAudKiller, a sophisticated EDR killer delivered via a multi-stage crypter. The crypter itself employs anti-analysis techniques, such as allocating and then freeing 2GB of memory, a tactic designed to exhaust or confuse antivirus engines and emulators, causing them to fail or crash before the true payload is revealed.

Tax Search Ads Deliver ScreenConnect Malware Using Huawei Driver to Disable EDR

HwAudKiller then leverages the "bring your own vulnerable driver" (BYOVD) technique, a particularly insidious method to bypass modern security solutions. In this attack, the specific vulnerable driver used is "HWAuidoOs2Ec.sys," a legitimate and digitally signed Huawei kernel driver. This driver, intended for laptop audio hardware, contains an exploitable weakness that allows the threat actor to gain kernel-mode privileges.

The significance of using a legitimately signed driver cannot be overstated. Windows operating systems, through Driver Signature Enforcement (DSE), are designed to prevent the loading of unsigned or tampered kernel-mode drivers, a critical security measure. However, by exploiting a vulnerability within an already signed and trusted driver, the attackers can circumvent DSE entirely. This allows HwAudKiller to operate at the highest privilege level (kernel mode), enabling it to terminate processes associated with leading EDR solutions such as Microsoft Defender, Kaspersky, and SentinelOne. By operating from kernel mode, the driver effectively bypasses the user-mode protections that these advanced security products rely on, rendering them blind and ineffective. This "blinding" of security tools is a prerequisite for subsequent, more destructive actions, as it removes the primary defenses that would otherwise detect and block post-exploitation activities.

Post-Compromise Objectives: Credential Theft and Lateral Movement

With EDR solutions neutralized, the threat actor proceeds with post-exploitation activities aimed at maximizing their access and potential for monetization. In at least one observed instance, the attackers leveraged their newfound access to dump credentials from the Local Security Authority Subsystem Service (LSASS) process memory. LSASS stores critical authentication information, including hashed user credentials, which, if compromised, can grant attackers widespread access within an organization’s network.

Following credential dumping, the attackers utilized tools like NetExec for network reconnaissance and lateral movement. NetExec is a powerful open-source tool used by both penetration testers and malicious actors to assess and exploit network vulnerabilities, enumerate network resources, and move laterally across connected systems. These tactics – credential theft, network reconnaissance, and lateral movement – are highly indicative of pre-ransomware activity or the operations of an initial access broker (IAB).

Initial Access Brokers are cybercriminal entities that specialize in gaining unauthorized access to corporate networks and then selling that access to other criminal groups, typically ransomware gangs. The observed behaviors strongly suggest that the threat actor is either preparing to deploy ransomware themselves or, more likely, intends to monetize the compromised access by selling it on underground forums to other cybercriminal syndicates, who will then execute their own attacks, often ransomware deployment.

Attribution and the Commoditization of Cybercrime

Tax Search Ads Deliver ScreenConnect Malware Using Huawei Driver to Disable EDR

While the exact identity of the threat actor behind this campaign remains unconfirmed, an exposed open directory within the threat actor-controlled infrastructure revealed a fake Chrome update page containing JavaScript code with Russian-language comments. This detail provides a strong allusion to a Russian-speaking developer, potentially indicating the origin or linguistic affiliation of the group in possession of this social engineering toolkit for malware distribution.

This campaign serves as a stark illustration of the ongoing commoditization of cybercrime. As Huntress researcher Anna Pham aptly noted, "The threat actor didn’t need custom exploits or nation-state capabilities, they combined commercially available cloaking services (Adspect and JustCloakIt), free-tier ScreenConnect instances, an off-the-shelf crypter, and a signed Huawei driver with an exploitable weakness to build an end-to-end kill chain that goes from a Google search to kernel-mode EDR termination." This trend lowers the barrier to entry for less sophisticated groups, enabling them to execute highly effective and destructive attacks by piecing together readily available tools and techniques. The availability of such "commodity tooling" means that advanced capabilities are no longer exclusive to state-sponsored actors or highly organized criminal syndicates, democratizing the potential for significant cyber disruption.

Industry Reactions and Broader Implications

The implications of such a campaign are far-reaching. For individuals, the risk of identity theft and financial fraud during tax season is elevated. For businesses, a successful compromise can lead to data breaches, significant financial losses due to ransomware, operational disruption, and reputational damage.

  • Google’s Role and Response: While Google invests heavily in combating malvertising, this campaign demonstrates the persistent challenge of policing sponsored search results. Cybercriminals constantly evolve their evasion tactics, requiring continuous vigilance and technological advancements from advertising platforms. Google frequently updates its ad policies and detection mechanisms, but the use of sophisticated cloaking services like Adspect poses a significant hurdle.
  • ConnectWise and Legitimate Tool Abuse: The misuse of legitimate RMM tools like ConnectWise ScreenConnect highlights a broader industry challenge. Software vendors face the dilemma of creating powerful tools that, in the wrong hands, can become potent weapons. ConnectWise, like other RMM providers, routinely issues security advisories and guidance on securing their products, but the onus also falls on users to implement strong security practices.
  • Huawei and Vulnerable Drivers: The exploitation of a legitimately signed Huawei driver underscores a critical supply chain security concern. Hardware manufacturers must ensure the security of their drivers throughout their lifecycle, promptly patching and revoking certificates for any found vulnerabilities. The BYOVD technique leverages the implicit trust placed in signed drivers, making such vulnerabilities particularly dangerous.
  • Cybersecurity Industry Adaptation: This campaign necessitates a continuous evolution of EDR and other security solutions. Defenses must move beyond signature-based detection and user-mode monitoring to include more robust kernel-level integrity checks, behavior analysis, and proactive threat hunting to identify and counter BYOVD attacks. The ability of HwAudKiller to bypass leading EDRs highlights a need for security vendors to continuously re-evaluate and strengthen their kernel-mode protections and exploit mitigation strategies.
  • Regulatory and User Awareness: Government agencies like the IRS consistently warn taxpayers about scams. This incident reinforces the need for heightened user awareness, urging individuals to be skeptical of unsolicited links, even those appearing in sponsored search results, and to navigate directly to official government or financial institution websites.

Mitigation and Defense Strategies

Defending against sophisticated campaigns like this requires a multi-layered approach:

  1. Enhanced User Vigilance: Individuals should exercise extreme caution when clicking on sponsored search results, especially for sensitive topics like tax forms. Always verify the URL and consider navigating directly to known, official websites (e.g., IRS.gov) instead of relying on search engine ads.
  2. Robust Endpoint Security: Organizations must deploy and maintain advanced EDR solutions capable of detecting BYOVD attacks and other kernel-mode threats. Regular updates and configurations are crucial.
  3. Patch Management: Keep operating systems, applications, and drivers updated to patch known vulnerabilities. While the Huawei driver vulnerability was previously undocumented, a strong patch management program can mitigate other known exploits.
  4. Network Segmentation and Least Privilege: Implement network segmentation to limit lateral movement. Enforce the principle of least privilege, ensuring users and applications only have the necessary permissions to perform their functions, thereby limiting the impact of a credential compromise.
  5. Multi-Factor Authentication (MFA): Implement MFA for all critical accounts to prevent unauthorized access even if credentials are stolen.
  6. Security Awareness Training: Regular training for employees on recognizing malvertising, phishing attempts, and safe browsing practices is paramount.
  7. Monitoring and Threat Hunting: Proactive monitoring of network traffic and endpoint behavior can help detect anomalous activities indicative of compromise, such as the deployment of multiple RMM tools or unusual process terminations.
  8. Application Whitelisting: Restrict the execution of unauthorized applications to prevent the deployment of rogue installers and malicious tools.

This campaign underscores the escalating sophistication of cyber threats and the critical importance of a comprehensive, adaptive cybersecurity posture. As cybercriminals continue to innovate by combining readily available tools with advanced evasion tactics, individuals and organizations must remain vigilant and continuously strengthen their defenses against evolving attack methodologies.

Cybersecurity & Digital Privacy

Leave a Reply

Your email address will not be published. Required fields are marked *