A large-scale malicious campaign active since January 2026 has been observed targeting US-based individuals searching for tax-related documents in order to serve up rogue installers for ConnectWise ScreenConnect, which drop the tool called HwAudKiller Blinding security programs using Bring Your Own Vulnerable Driver (BYOVD) technology.
“The campaign abuses Google ads to serve rogue ScreenConnect (ConnectWise Control) installers, ultimately providing a BYOVD EDR killer that leaves the kernel driver in place to blind security devices before further compromise,” Huntress researcher Anna Pham said in a report published last week.
The cybersecurity vendor said it had identified more than 60 instances of malicious ScreenConnect sessions linked to the campaign. Attack chains come about for a few reasons. Unlike recent campaigns that took advantage of tax-themed inducements by Microsoft, the newly identified activity employs commercial cloaking services to avoid detection by security scanners and misuses a previously undocumented Huawei audio driver to disable security solutions.
The exact objectives of the campaign are currently unclear; However, in one example, the threat actor is said to have leveraged access to deploy an Endpoint Detection and Response (EDR) killer and then dump credentials from the Local Security Authorization Subsystem Service (LSASS) process memory, as well as use tools like NetExec for network reconnaissance and lateral movement.
These tactics, according to Huntress, align with pre-ransomware or initial access broker behavior, suggesting that the threat actor is looking to either deploy ransomware or monetize access by selling it to other criminal actors.
The attack begins when users search for terms like “W2 tax form” or “W-9 tax form 2026” on search engines like Google, prompting them to click on sponsored search results that take users to fraudulent sites like “bringetax.”[.]com/humu/” to trigger delivery of the ScreenConnect installer.
Additionally, the landing page is protected by a PHP-based Traffic Distribution System (TDS) operated by AdSpect, a commercial cloaking service, to ensure that a benign page is served to security scanners and ad review systems, while only actual victims see the actual payload.
This is achieved by generating a fingerprint of the site visitor and sending it to the Adspect backend, which then determines the appropriate response. In addition to Adspect, the “index.php” of the landing page contains a second cloaking layer on the server side, powered by JustCloakIt (JCI).
“The two cloaking services are stacked in a single index.php — JCI’s server-side filtering runs first, while Adspect provides client-side JavaScript fingerprinting as a second layer,” Pham explained.
The web pages lead to the distribution of ScreenConnect installers, which are then used to deploy multiple test instances on the compromised host. It was also found that the threat actor omitted additional remote monitoring and management (RMM) tools such as FleetDeck Agent to ensure redundancy and consistent remote access.
The ScreenConnect session is used to drop a multi-stage encryptor that acts as a conduit for an EDR killer codenamed HwAudKiller that uses BYOVD technology to terminate processes associated with Microsoft Defender, Kaspersky, and SentinelOne. The vulnerable driver used in the attack is “HWAuidoOs2Ec.sys”, which is a legitimate, unsigned Huawei kernel driver designed for laptop audio hardware.
Huntress said, “The driver terminates the target process from kernel mode, bypassing any user mode protections that security products rely on. Because the driver is legitimately signed by Huawei, Windows loads it without complaint despite Driver Signature Enforcement (DSE).”
The crypter, for its part, attempts to avoid detection by allocating 2GB of memory and filling it with zeros, and then freeing it, effectively causing antivirus engines and emulators to fail due to the high resource allocation.
At the moment it is not known who is behind the campaign, but an open directory in threat actor-controlled infrastructure has revealed a fake Chrome update page containing JavaScript code with Russian-language comments. This points to a Russian-speaking developer in possession of a social engineering toolkit for malware distribution.
“This campaign demonstrates how commodity tooling has reduced the barrier to sophisticated attacks,” Pham said. “The threat actor did not need custom exploits or nation-state capabilities, they combined commercially available cloaking services (AdSpect and JustCloakIt), free-tier ScreenConnect instances, an off-the-shelf crypter, and a signed Huawei driver with an exploitable weakness to create an end-to-end kill chain that goes from Google search to kernel-mode EDR termination.”
“A consistent pattern across compromised hosts was the rapid stacking of multiple remote access tools. After the initial rogue ScreenConnect relay was installed, the threat actor deployed additional test ScreenConnect instances to the same endpoint, sometimes within two or three hours, and backup RMM tools like FleetDeck.”
