A large-scale malvertising campaign targeting U.S.-based users has emerged as a significant cybersecurity threat, exploiting tax-related search queries to distribute malicious software and bypass endpoint security defenses. Active since January 2026, the campaign highlights how threat actors are increasingly leveraging legitimate tools, AI-driven evasion techniques, and supply chain vulnerabilities to compromise systems at scale.
The attack primarily targets individuals searching for tax-related documents such as “W-2 tax form” or “W-9 Tax Forms 2026.” Victims are redirected through malicious Google Ads to deceptive websites that deliver rogue installers for ConnectWise ScreenConnect. Once executed, these installers establish unauthorized remote access sessions and deploy a sophisticated endpoint detection and response (EDR) killer known as HwAudKiller.
This campaign stands out due to its use of the “bring your own vulnerable driver” (BYOVD) technique. Attackers exploit a legitimate, signed Huawei kernel driver (HWAuidoOs2Ec.sys) to disable security tools at the kernel level. By leveraging trusted drivers, the malware bypasses traditional security controls, including driver signature enforcement, allowing it to terminate protections from platforms such as Microsoft Defender, Kaspersky, and SentinelOne.
To evade detection, the attackers employ advanced cloaking mechanisms using commercial services like Adspect and JustCloakIt. These tools create layered filtering systems that present harmless content to security scanners and ad review systems while delivering malicious payloads only to real users. This dual-layer cloaking significantly increases the success rate of the campaign and complicates detection efforts.
Once inside the system, the attack chain deploys multiple remote monitoring and management (RMM) tools, including additional ScreenConnect instances and FleetDeck agents, ensuring persistent access. The attackers also use a multi-stage crypter that consumes large amounts of system memory to evade antivirus analysis, further strengthening the stealth of the operation.
In at least one observed instance, attackers escalated their access by extracting credentials from the Local Security Authority Subsystem Service (LSASS) and conducting network reconnaissance using tools like NetExec. These behaviors align with tactics commonly associated with initial access brokers or pre-ransomware operations, suggesting that the compromised access may later be sold or used for large-scale ransomware deployment.
The campaign underscores a growing trend in cybersecurity where attackers combine readily available tools and services rather than developing custom exploits. By integrating commercial cloaking platforms, legitimate remote access software, and vulnerable signed drivers, threat actors can construct highly effective attack chains with minimal resources.
For organizations and individuals, this incident highlights the importance of strengthening endpoint security, monitoring driver-level activity, and maintaining awareness of phishing and malvertising threats. As cybercriminals continue to refine their techniques, proactive defense strategies and real-time threat detection remain critical to mitigating evolving risks in today’s digital landscape.
Recommended Cyber News :
- Varist Launches Free Community Platform for Real-Time AI Malware Detection
- OneTrust Expands AI Governance Platform with Real-Time Monitoring and Enforcement
- Threat Breaker Unveils AI-Powered Autonomous Endpoint Security Platform
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
