Skip to main content
RuntimeRebel
root@rebel:~$ cd /news/threats/tax-search-malvertising-deploys-hwaudkiller-to-blind-edr-solutions_
[TIMESTAMP: 2026-03-24 20:18 UTC] [AUTHOR: Runtime Rebel Intel] [SEVERITY: CRITICAL]

Tax Search Malvertising Deploys HwAudKiller to Blind EDR Solutions

CRITICAL Threat Intel #malvertising#HwAudKiller#ScreenConnect
AI-Assisted Analysis
READ_TIME: 4 min read
// executive briefing tl;dr
  • [01] Immediate impact: Attackers are using Google Ads to deliver rogue ScreenConnect installers that deploy malware designed to disable security software.
  • [02] Affected systems: Windows-based systems searching for tax documents are targeted with tools that exploit vulnerable kernel-mode drivers.
  • [03] Remediation: Defenders must restrict the use of remote access tools and implement driver blocklists to prevent vulnerable driver exploitation.

Overview of the 2026 Tax Season Malvertising Campaign

A sophisticated malvertising campaign has been identified targeting individuals in the United States who are searching for tax-related documentation. Active since January 2026, the campaign leverages Google Ads to position rogue installers at the top of search engine results, according to The Hacker News. These advertisements masquerade as legitimate tax software or document repositories but instead serve malicious ConnectWise ScreenConnect installers.

Once a user executes the installer, the infection chain culminates in the deployment of a specialized tool known as HwAudKiller. This tool is designed specifically to impair security defenses by utilizing a ‘Bring Your Own Vulnerable Driver’ (BYOVD) technique. By loading a legitimate but vulnerable Huawei driver, the attackers gain the ability to operate in kernel space, effectively blinding EDR and other endpoint security solutions that would otherwise detect the intrusion.

Technical Analysis of the Infection Vector

The attack begins with Phishing through search engine manipulation. When users search for keywords related to tax filings, they are presented with ads that appear to lead to official resources. Clicking these ads redirects the user to a malicious landing page that hosts a weaponized version of ConnectWise ScreenConnect.

ScreenConnect is a legitimate remote monitoring and management (RMM) tool, but in this context, it serves as a C2 gateway for the attackers. Once the software is installed, the threat actor gains persistent remote access to the victim’s machine. The primary objective of this initial access is to deploy HwAudKiller. This stage of the attack is particularly dangerous as it focuses on the MITRE ATT&CK technique of ‘Impair Defenses.‘

How to detect HwAudKiller malware

Identifying this threat requires monitoring for specific anomalous behaviors at the kernel level. Analysts researching how to detect HwAudKiller malware should look for the loading of unauthorized or known-vulnerable drivers, specifically those associated with Huawei (such as HwOs2vpt.sys or similar variants). HwAudKiller uses these drivers to bypass the Windows Driver Signature Enforcement (DSE) or to exploit kernel-mode vulnerabilities that allow the malware to terminate protected processes.

Defenders should monitor their SIEM for Event ID 6 (Driver loaded) in Sysmon, specifically flagging drivers with low reputation or those that do not match the organization’s standard hardware profile. Furthermore, the presence of ScreenConnect in environments where it is not officially sanctioned should be treated as a high-fidelity IoC.

The Role of BYOVD in Blinding Defenses

The use of a BYOVD attack using Huawei driver components represents a significant escalation in the capability of malvertising actors. By operating at the kernel level, HwAudKiller can bypass traditional user-mode hooks utilized by many antivirus and EDR products. When the security software is ‘blinded,’ it no longer reports telemetry to the SOC, allowing the attackers to perform Lateral Movement or data exfiltration without triggering alerts.

This technique highlights a growing trend where Ransomware affiliates and other motivated actors use legitimate driver vulnerabilities to disable modern security stacks. Since the driver is legitimately signed by a trusted vendor, it often bypasses initial signature checks unless the system has specific driver blocklists enabled.

Implementing ConnectWise ScreenConnect malvertising protection

To establish effective ConnectWise ScreenConnect malvertising protection, organizations must adopt a Zero Trust approach to remote software. This includes strictly whitelisting allowed RMM tools and blocking all other remote access binaries at the network and endpoint levels.

Mitigation and Defense Strategies

  1. Driver Blocklisting: Enable the Microsoft-recommended driver blocklist or use application control policies to prevent the loading of known vulnerable drivers associated with BYOVD attacks.
  2. Search Ad Filtering: Utilize DNS filtering and secure web gateways to block known malicious advertising domains and redirects.
  3. Process Monitoring: Monitor for the termination of security-related processes. If an EDR service stops unexpectedly and is preceded by a driver load event, it is a strong indicator of a HwAudKiller infection.
  4. Application Control: Restrict the execution of administrative tools and RMM software to specific, authorized user groups only.

Advertisement

#malvertising #HwAudKiller #ScreenConnect #BYOVD #Google Ads
X/Twitter LinkedIn Reddit HN
← Back to Articles