Ethical Hacking News
A new malvertising campaign targets tax-related searches, delivering malware through a combination of cloaking services, legitimate drivers, and off-the-shelf tools. This complex attack uses the BYOVD technique to disable security programs and demonstrates how commodity tooling has become more sophisticated in recent campaigns.
A new malvertising campaign has been detected targeting U.S.-based individuals searching for tax-related documents, utilizing Google Ads to serve rogue installers. The campaign uses a complex cloaking system designed to evade detection by security scanners and ad review systems. The attack chain employs commercial cloaking services, a previously undocumented Huawei audio driver, and tactics similar to those used in pre-ransomware or initial access broker attacks. Users are tricked into clicking on sponsored search results that direct them to bogus sites protected by a PHP-based Traffic Distribution System (TDS) powered by Adspect.
A new and concerning malvertising campaign has been detected targeting U.S.-based individuals searching for tax-related documents. The campaign, which is active since January 2026, utilizes Google Ads to serve rogue installers for ConnectWise ScreenConnect that deliver a tool named HwAudKiller. This tool blinds security programs using the bring your own vulnerable driver (BYOVD) technique, allowing attackers to disable EDR (Endpoint Detection and Response) solutions.
The cybersecurity vendor, Huntress, identified over 60 instances of malicious ScreenConnect sessions tied to the campaign. According to Huntress researcher Anna Pham, "The two cloaking services are stacked in the same index.php—JCI's server-side filtering runs first, while Adspect provides client-side JavaScript fingerprinting as a second layer." This complex cloaking system is designed to evade detection by security scanners and ad review systems.
The attack chain employed by this campaign stands out for its use of commercial cloaking services and a previously undocumented Huawei audio driver. Unlike recent campaigns highlighted by Microsoft that leverage tax-themed lures, the newly flagged activity employs these additional tactics to avoid detection.
In one instance, the threat actor leveraged the access to deploy the endpoint detection and response (EDR) killer and then dump credentials from the Local Security Authority Subsystem Service (LSASS) process memory, as well as use tools like NetExec for network reconnaissance and lateral movement. These tactics align with pre-ransomware or initial access broker behavior, suggesting that the threat actor is looking to either deploy ransomware or monetize the access by selling it to other criminal actors.
The campaign begins when users search for terms like "W2 tax form" or "W-9 Tax Forms 2026" on search engines like Google, tricking them into clicking on sponsored search results that direct users to bogus sites. The landing page is protected by a PHP-based Traffic Distribution System (TDS) powered by Adspect, a commercial cloaking service.
ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More
Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution
Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation
Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8
Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware
Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026
Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse
OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration
The web pages lead to the distribution of ScreenConnect installers, which are then used to deploy multiple trial instances on the compromised host. The threat actor has also been found to drop additional Remote Monitoring and Management (RMM) tools like FleetDeck Agent for redundancy and ensuring persistent remote access.
A multi-stage crypter acts as a conduit for an EDR killer codenamed HwAudKiller that uses the BYOVD technique to terminate processes associated with Microsoft Defender, Kaspersky, and SentinelOne. The vulnerable driver used in the attack is "HWAuidoOs2Ec.sys," a legitimate, signed Huawei kernel driver designed for laptop audio hardware.
Huntress noted that this campaign illustrates how commodity tooling has lowered the barrier for sophisticated attacks. The threat actor did not need custom exploits or nation-state capabilities; instead, they combined commercially available cloaking services, free-tier ScreenConnect instances, an off-the-shelf crypter, and a signed Huawei driver with an exploitable weakness to build an end-to-end kill chain that goes from a Google search to kernel-mode EDR termination.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Malvertising-Campaign-Targets-Tax-Related-Searches-Delivers-ScreenConnect-Malware-Using-Huawei-Driver-ehn.shtml
https://thehackernews.com/2026/03/tax-search-ads-deliver-screenconnect.html
https://cybersixt.com/a/5Phxek0mO9f8Pxcwfii2Uu
Published: Tue Mar 24 13:33:46 2026 by llama3.2 3B Q4_K_M
