As April approaches, Americans are increasingly focused on meeting tax deadlines, a fact not lost on cyber attackers. A sophisticated malvertising campaign has been exploiting this urgency since January 2026, using misleading Google Ads to lure victims into downloading harmful software that disables endpoint detection and response (EDR) systems.
Malicious Campaign Targets U.S. Tax Filers
This cyber campaign specifically targets users searching for tax forms like W-2 and W-9. By creating fake landing pages that imitate official IRS portals, the attackers aim to deceive employees, freelancers, and small business owners into downloading malicious software during the tax filing season.
The process begins when a potential victim searches for a tax form on Google. They are directed to a site named anukitax[.]com, which then redirects to bringetax[.]com. This page hosts a rogue ScreenConnect installer named form_w9.msi, disguising itself as a legitimate tax form.
How the Attack Unfolds
ScreenConnect is a legitimate remote management tool, which is why many users are unsuspecting when they install it. However, once installed, attackers gain complete access to the victim’s machine without any oversight from enterprise IT departments.
Huntress researchers identified this campaign through routine threat analysis, uncovering over 60 unauthorized ScreenConnect sessions. What appeared to be suspicious remote activity was revealed as a multi-layered operation that blindsides endpoint security systems, potentially leading to ransomware attacks or selling initial access to other cybercriminals.
Technical Aspects of the Attack
After gaining entry, attackers deploy a complex crypter known as FatMalloc and other backup tools like FleetDeck, ensuring persistence through multiple relay instances. The final payload, HwAudKiller, uses an undocumented Huawei audio driver to disable security software from the kernel level.
HwAudKiller operates by terminating key security processes, allowing attackers to extract credentials and execute network-wide attacks. The use of a valid digital signature for the driver ensures it runs without raising suspicion from the operating system.
Precautionary Measures and Recommendations
The exposed open directories of the threat actors also reveal additional tactics, such as fake Google Chrome update pages with Russian-language comments, hinting at a Russian-speaking developer. This indicates a well-organized operation employing multiple social engineering strategies.
Users are advised to download tax forms only from the official IRS website and treat sponsored search results with skepticism. IT teams should whitelist approved remote management tools and flag any unusual ScreenConnect activity. Monitoring for specific Sysmon events can help detect unauthorized kernel driver installations.
For more updates on cybersecurity threats, follow us on Google News, LinkedIn, and X, and consider setting CSN as a preferred source in Google.
