It's tax season, and cybercriminals are taking advantage of the rush This article explores fatmalloc malware purposely. . Huntress says that a big malvertising campaign aimed at U.S. taxpayers has been going on since at least January 2026.
Threat actors are using fake Google Ads that look like W-2 and W-9 tax forms to trick people into downloading a bad ScreenConnect installer. Once they get into the system, the attackers use a "Bring Your Own Vulnerable Driver" (BYOVD) attack to turn off security tools. This makes it easier for them to break into the network and possibly install ransomware. The FatMalloc Crypter and Advanced Cloaking Threat actors use commercial cloaking services like Adspect and JustCloakIt to keep their bad ads running.
These tools show Google's security scanners a safe webpage while sending real users to the malware payload.
To make sure they can always get in, the attackers install multiple free-tier ScreenConnect relays and backup management tools on the same machine. This way, they can still get in even if one tool is removed. After they have remote access, the attackers use a multi-stage crypter called FatMalloc.
This malware purposely uses up 2 gigabytes of memory to wear out antivirus emulators, which makes them time out and skip the security scan. Rogue ScreenConnect delivery page (Source: huntress) The crypter also uses indirect execution methods, like the Windows multimedia timer API, to run its encrypted payload without setting off behavioral alerts. To avoid basic string detection even more, the malware makers added the letter "Y" to the beginning of all application programming interface (API) names.
Researchers also found Russian-language comments on a fake Google Chrome update page that was hosted on the same infrastructure, which points to the developer's home country. Fake Google browser update lure (Source: huntress) Using a Huawei Audio Driver as a weapon The last thing the FatMalloc crypter sends is an EDR killer tool called HwAudKiller. This malware puts a real, digitally signed Huawei audio driver, HWAudioOs2Ec.sys, in the system's temporary folder and runs it as a kernel service called Havoc.
Even though a major hardware vendor digitally signed this driver, it has an unverified function that lets it kill any process with system-level kernel privileges.
A piece of the embedded shellcode (Source: huntress) HwAudKiller takes advantage of this flaw to repeatedly look for and kill endpoint detection and response (EDR) agents, which makes Microsoft Defender, SentinelOne, and Kaspersky blind. As soon as the attackers disable huntress's security defenses, they go after stealing credentials. Indicator Type Value Malvertising Page anukitax[.
]com Delivery Page bringetax[. ]com Fake Chrome Update grinvan[. ]com/vims/browser/ ScreenConnect Relay instance-itsd8c-relay.screenconnect[. ]com ScreenConnect Relay instance-sl1mb9-relay.screenconnect[.
]com Exploited Driver HWAuidoOs2Ec.sys They use standard Windows tools to dump LSASS passwords and try to move laterally across the network with tools like NetExec. This behavior strongly suggests that the attackers are either initial access brokers or getting ready for a large-scale ransomware attack.
To protect themselves from this threat, businesses need to keep an eye out for ScreenConnect instances that shouldn't be there and look into any kernel drivers that load from temporary directories without warning.
