Tax Search Ads Deliver ScreenConnect Malware Using Huawei Driver to Disable EDR

Cybercriminals are once again proving that the tax filing season is a true harvest for them, and Google Ads remains one of the most effective attack vectors. Since January 2026, we have been observing a large-scale malvertising campaign targeting users searching for official tax documents. This time, however, the attackers are not limiting themselves to simple login credential theft – they are using the advanced BYOVD (Bring Your Own Vulnerable Driver) technique to completely blind EDR (Endpoint Detection and Response) class security systems.

The infection mechanism is precisely designed: the victim, by typing tax-related phrases into a search engine, encounters a high-ranking advertisement leading to fake ConnectWise ScreenConnect software installers. Although the tool itself is a legitimate remote desktop solution, its modified version serves as a Trojan horse, delivering a dangerous payload named HwAudKiller to the victim's system. It is this component that defines the uniqueness and danger of the described attack.

A vulnerable Huawei driver as a master key to the system

A key element of the operation is the use of a legitimate but vulnerable Huawei driver. The BYOVD technique involves the malware installing an older, digitally signed version of a driver on the system that has known security vulnerabilities. Because the driver is signed by a trusted publisher, the Windows operating system allows it to be loaded with kernel-mode privileges. Attackers exploit these privileges to use the HwAudKiller tool to gain direct access to system memory and processes.

The primary task of HwAudKiller is to identify and neutralize processes belonging to antivirus solutions and EDR systems. By manipulating kernel structures, the malware is able to "blind" the security software, rendering it useless. Consequently, after the protection is disabled, further stages of the attack – such as data exfiltration or ransomware installation – can proceed completely off the radar of IT administrators.

From Google Ads to full control over the workstation

This campaign sheds new light on the problem of trust in search results. The attackers have shown great proficiency in bypassing Google Ads filters, creating advertisements that at first glance appear to be official sources of tax documentation. A user, downloading a supposed form or filing tool, actually runs a script that initiates the download of ConnectWise ScreenConnect. This gives the attackers persistent remote access to the infected machine, which in a corporate environment can be a starting point for an attack on the entire network.

It is worth noting the technical specifications of the HwAudKiller tool. It is not a generic virus, but a specialized offensive tool capable of:

• Detecting active EDR and antivirus services in real-time.
• Loading the vulnerable Huawei driver without triggering UAC system alerts (if privileges were previously escalated).
• Forcing the closure of protected processes that are normally impossible for a user to stop.
• Modifying the system registry to ensure persistence after a computer restart.

A new era of threats and the necessity of moving to ZTNA

The effectiveness of this campaign exposes the weaknesses of traditional security models based on trust in signed drivers and traditional VPN networks. In the face of BYOVD threats, organizations must revise their approach to endpoint protection. Simply having an EDR agent is no longer enough if an attacker can disable it at the system kernel level. Implementing a Zero Trust Network Access (ZTNA) architecture becomes crucial, as it eliminates lateral movement within the network.

Transitioning from a VPN-based model to comprehensive ZTNA allows for direct connection of users to specific applications instead of giving them access to an entire network segment. In the context of an attack using ScreenConnect, restrictive ZTNA policies could block unauthorized outbound connections to C2 (Command and Control) servers, even if local antivirus systems were neutralized by HwAudKiller.

"The campaign abuses Google Ads to serve malicious versions of ScreenConnect, allowing attackers to operate with impunity inside infected systems after first blinding the security measures."

Defense strategy in a world of infected ads

For security departments, the most important takeaway from the current situation is the fact that the malvertising attack vector is becoming increasingly technically sophisticated. Attackers no longer rely solely on user naivety but actively combat technological protective barriers. To counter such threats, it is essential to implement a multi-layered defense strategy that includes:

• Blocking the ability to load known, vulnerable drivers (Driver Blocklisting) at the operating system level.
• Monitoring the use of remote desktop tools such as ConnectWise ScreenConnect for unusual traffic patterns.
• Educating users on verifying software download sources, especially during periods of increased tax activity.
• Implementing identity-based network segmentation, which limits the impact of a potential compromise of a single workstation.

The risk associated with the HwAudKiller campaign is high because it combines mass scale (search engine ads) with the precision of an APT (Advanced Persistent Threat) attack. The use of a legitimate Huawei driver as an attack tool shows that trust in digital certificates and signatures cannot be uncritical. In a world where attackers can "turn off" EDR protection, the only effective method is to assume that the system has already been compromised and build security based on that premise.

In the coming months, we should expect an evolution of HwAudKiller-type tools that will target other vulnerable drivers from different manufacturers. The cybersecurity industry faces the challenge of creating mechanisms capable of detecting kernel manipulations before the EDR agent is completely cut off from its ability to report incidents. Without a radical change in how driver permissions are managed in Windows systems, the BYOVD technique will remain one of the most dangerous weapons in the arsenal of modern cybercriminals.