Tax Search Ads Deliver ScreenConnect Malware Using Huawei Driver to Disable EDR

Since January 2026, there has been a large-scale malvertising campaign targeting people in the U.S This article explores tools rogue screenconnect. . who are looking for tax-related documents.

The goal is to get them to install rogue versions of ConnectWise ScreenConnect that drop a tool called HwAudKiller to blind security programs using the bring your own vulnerable driver (BYOVD) technique. "The campaign misuses Google Ads to serve rogue ScreenConnect (ConnectWise Control) installers, which eventually delivers a BYOVD EDR killer that drops a kernel driver to blind security tools before further compromise," Huntress researcher Anna Pham said in a report published last week. The cybersecurity company said it found more than 60 instances of bad ScreenConnect sessions linked to the campaign. There are a few things that make the attack chain stand out.

Microsoft has recently talked about campaigns that use tax-themed lures, but the new activity uses commercial cloaking services to avoid detection by security scanners and an undocumented Huawei audio driver to disable security solutions. No one knows who is behind the campaign right now, but an open directory that the threat actor controls has revealed a fake Chrome update page with JavaScript code and comments in Russian. This suggests that a Russian-speaking developer has a set of tools for social engineering that they can use to spread malware.

Pham said, "This campaign shows how cheap tools have made it easier for advanced attacks to happen."

"The threat actor didn't need custom exploits or nation-state capabilities; they used commercially available cloaking services (Adspect and JustCloakIt), free-tier ScreenConnect instances, an off-the-shelf crypter, and a signed Huawei driver with a weakness that could be used to build an end-to-end kill chain that goes from a Google search to kernel-mode EDR termination." "One thing that all the compromised hosts had in common was that they quickly stacked multiple remote access tools. After the first rogue ScreenConnect relay was set up, the threat actor set up more trial ScreenConnect instances on the same endpoint, sometimes two or three in a few hours, as well as backup RMM tools like FleetDeck.