A large-scale malvertising campaign active since January 2026 is abusing Google Ads to target US users searching for tax forms such as “W2 tax form” and “W‑9 Tax Forms 2026”. Instead of legitimate IRS or vendor sites, victims are redirected to look‑alike pages that distribute a trojanized ConnectWise ScreenConnect installer. Through this foothold, attackers deploy an EDR‑killer tool dubbed HwAudKiller, which leverages a Bring Your Own Vulnerable Driver (BYOVD) technique to disable security controls at the Windows kernel level.
Google Ads Malvertising: From Tax Searches to Remote Access
According to incident data shared by Huntress, more than 60 malicious ScreenConnect sessions linked to this campaign have been identified across victim environments. Unlike typical tax‑themed phishing that relies mainly on fake login pages or document lures, this activity stands out for two reasons: extensive use of commercial cloaking and traffic distribution services to bypass ad and security review, and abuse of a previously undocumented Huawei audio driver to neutralize endpoint protection.
The final objective is still being assessed, but post‑compromise behavior is highly indicative of pre‑ransomware activity or work by initial access brokers. After gaining remote access, the operators deploy the EDR‑killer, extract credentials from the LSASS process memory, and use tools such as NetExec for network discovery and lateral movement. This set of techniques is commonly observed in the early stages of ransomware incidents and access brokerage operations.
Attack Chain: From Google Search to Full System Compromise
The intrusion begins when a user searches for tax‑related terms in Google. Sponsored results placed through Google Ads lead to domains such as bringetax[.]com/humu/ and similar look‑alike URLs. These websites present themselves as sources for “official forms” or “tax utilities”, but the download offered is a modified ScreenConnect installer that silently gives attackers remote access to the system.
Advanced Cloaking with Adspect and JustCloakIt TDS
To evade automated security screening, the operators use a PHP‑based Traffic Distribution System (TDS) integrated with the commercial service Adspect. The site fingerprints each visitor—collecting IP address, browser characteristics, and behavioral signals—and sends this profile to Adspect. Based on the response, the TDS either serves malicious content or a benign decoy page designed to pass Google Ads moderation and security scanners.
A second cloaking layer, JustCloakIt (JCI), is also embedded in index.php. JCI performs server‑side filtering, while Adspect adds client‑side JavaScript fingerprinting. This “double cloaking” significantly reduces the chance that security tools, crawlers, or quality‑assurance bots will ever see the real payload. The campaign reflects a broader industry trend where commercial TDS and cloaking platforms have become standard building blocks for sophisticated malware distribution via online advertising.
Persistent Remote Access via ScreenConnect and RMM Tools
Once the fake ScreenConnect installer runs, attackers establish persistence by deploying multiple instances of ScreenConnect alongside backup remote monitoring and management (RMM) agents such as FleetDeck Agent. This creates redundant remote access channels so that, even if one agent or session is detected and removed, others remain active.
On many infected hosts, investigators observed two or three new ScreenConnect sessions and an additional RMM agent appearing within a few hours. This redundancy underscores a deliberate effort to maintain highly resilient remote access, a tactic increasingly seen in intrusions where legitimate admin tools are repurposed as backdoors.
BYOVD Attack with Huawei Audio Driver and HwAudKiller
The centerpiece of the post‑exploitation phase is a multi‑stage cryptor that delivers HwAudKiller, an EDR‑disabling component that implements a BYOVD attack. In a BYOVD scenario, attackers introduce a legitimate but vulnerable signed driver into the system and then exploit its weaknesses to execute privileged operations within the Windows kernel.
Disabling EDR Solutions from the Windows Kernel
In this campaign, the threat actors load HWAuidoOs2Ec.sys, an authentic and digitally signed Huawei audio driver originally intended for laptop sound subsystems. Despite being legitimate, the driver contains vulnerabilities that can be abused to terminate security processes from kernel mode, including products such as Microsoft Defender, Kaspersky, and SentinelOne.
Because the driver is properly signed, Windows accepts it even with Driver Signature Enforcement (DSE) enabled. This illustrates a systemic weakness of BYOVD attacks: the overall security posture of the operating system depends not only on Microsoft’s protections, but also on the security quality of third‑party drivers that the kernel is willing to trust.
Cryptor Evasion Through Resource Exhaustion
The cryptor responsible for deploying HwAudKiller uses an additional evasion technique to hinder antivirus analysis. It allocates approximately 2 GB of RAM, fills it with zeros, and then releases it. This noisy, resource‑intensive behavior can cause some antivirus engines and sandboxes to struggle or time out, reducing the likelihood of a thorough inspection of the malicious payload.
Attribution Clues and Growing Commoditization of Advanced Attacks
Attribution remains uncertain. However, researchers examining an exposed directory within the attackers’ infrastructure found a fake Chrome update page containing JavaScript with Russian‑language comments. This points to at least one Russian‑speaking developer and suggests the threat actor maintains a wider library of social‑engineering templates beyond the tax theme.
Taken together—malvertising, commercial TDS, BYOVD abuse, mass deployment of RMM tools, and an EDR‑killer—the operation forms a coherent, end‑to‑end kill chain built predominantly with commodity services and widely available tools rather than bespoke exploits. This aligns with observed industry trends where the commoditization of advanced tradecraft lowers the barrier to entry for criminal groups, enabling complex operations without nation‑state‑level resources.
Defensive Measures Against Malvertising and BYOVD Attacks
1. Limit trust in sponsored search results, especially when downloading software or documents. Whenever possible, navigate directly to official URLs for tax authorities and software vendors rather than relying on ads.
2. Deploy advanced web and DNS filtering capable of blocking known TDS infrastructure and malvertising domains, and integrate threat intelligence feeds into secure web gateways.
3. Use EDR/NGAV solutions with driver control and BYOVD protection, monitoring the loading of new kernel drivers—even if signed—and flagging suspicious or uncommon drivers for investigation.
4. Regularly audit installed RMM tools and ScreenConnect sessions, maintaining an inventory of approved agents and hunting for unauthorized instances, unusual session counts, or connections from unexpected geolocations.
5. Strengthen user awareness training to cover malicious advertising, tax‑themed lures, and fake browser update prompts, emphasizing that legitimate tax forms and browser updates rarely require downloading standalone executables from unfamiliar domains.
The ongoing Google Ads malvertising campaign demonstrates how a combination of commercial cloaking services, legitimate remote‑administration tools, and a vulnerable Huawei driver can deliver a complete intrusion chain—from a simple tax‑form search to disabling EDR in the Windows kernel. Reducing blind trust in sponsored search results, improving visibility and control over kernel‑mode drivers, and tightening governance around RMM tools are critical steps for organizations and individuals seeking to mitigate similar threats and strengthen their overall cyber resilience.
