A recent surge in malicious advertising has been aimed at individuals in the United States searching for tax-related forms online. Since January 2026, these deceptive ads have been distributing compromised installers of ConnectWise ScreenConnect, which subsequently deploy a tool known as HwAudKiller. This tool effectively disables security programs by exploiting a Huawei driver vulnerability, a technique often referred to as bring your own vulnerable driver (BYOVD).
Campaign Details and Tactics
Huntress, a cybersecurity firm, reported that these ads exploit Google’s advertising platform to distribute rogue versions of ScreenConnect, which then drop a kernel driver to evade detection. Anna Pham, a researcher from Huntress, highlighted the use of commercial cloaking services to bypass security checks, employing an undocumented Huawei audio driver to neutralize security measures.
The campaign’s goals remain unclear, but evidence suggests that attackers may use this access to disable endpoint detection and response (EDR) tools and extract credentials from affected systems. Their methods indicate a potential pre-ransomware strategy or intentions to sell access to other cybercriminals.
Execution and Tools Employed
The attack initiates when users search for terms like “W2 tax form” on Google, leading them to fake sites through sponsored links. These sites, protected by Adspect’s cloaking services, present benign pages to security systems while delivering malware to actual users. This dual-layer protection is further enhanced by JustCloakIt’s server-side filtering.
Once users are deceived into downloading the compromised installer, it deploys multiple instances of ScreenConnect and additional tools like FleetDeck Agent, ensuring continued remote access. The main payload, HwAudKiller, leverages a Huawei driver to deactivate security software, including Microsoft Defender, by operating at the kernel level.
Technical Insights and Implications
The Huawei driver, “HWAuidoOs2Ec.sys,” is a legitimate component for audio hardware, but its exploitable nature allows it to terminate security processes from kernel space. This bypasses user-mode protections and exploits Windows’ driver signature enforcement.
Further analysis revealed an open directory containing code with Russian-language comments, hinting at a Russian-speaking developer. This suggests that the operation might be driven by individuals with access to common social engineering tools rather than state-level capabilities.
Conclusion and Future Outlook
This campaign exemplifies how readily available tools can enable complex cyberattacks. By combining commercial cloaking services, free-tier software instances, and a signed driver with vulnerabilities, attackers have crafted a sophisticated threat chain. The rapid deployment of multiple remote access tools on compromised systems further underscores the sophistication of these cybercriminals.
As the campaign continues, it highlights the need for enhanced vigilance and improved defenses against such evolving cyber threats. Organizations must remain proactive in updating security measures to counteract these innovative attack strategies.
