Tax-Themed Google Ads Deliver EDR-Disabling Malware
Key Takeaways A pervasive malvertising campaign, active since at least January 2026, is leveraging Google Ads with tax-themed lures. The campaign delivers a legitimate remote management tool,...
Key Takeaways
- A pervasive malvertising campaign, active since at least January 2026, is leveraging Google Ads with tax-themed lures.
- The campaign delivers a legitimate remote management tool, ScreenConnect, which attackers then exploit to deploy a kernel-mode EDR killer.
- The EDR killer, named HwAudKiller, utilizes a signed Huawei audio driver to bypass and terminate prominent endpoint security solutions like Windows Defender, Kaspersky, and SentinelOne.
- Post-compromise activities indicate a clear intent for ransomware deployment or initial access brokering.
As tax season approaches, a period marked by heightened digital activity for millions of Americans, cybercriminals are exploiting the urgency surrounding tax filings. Cybersecurity firm Huntress has recently uncovered a sophisticated malvertising campaign that uses deceptive Google Ads to distribute an EDR-disabling malware.
Table Of Content
This large-scale operation, active since at least January 2026, directs users searching for tax documents like W-2 and W-9 to fraudulent landing pages. These pages meticulously mimic official IRS compliance portals, specifically designed to ensnare employees, freelancers, and small business owners during the critical tax filing period.
The Malvertising Attack Chain
The attack initiates when a user searches for common tax forms on Google. A sponsored advertisement leads them to a deceptive domain, such as anukitax[.]com, which then redirects to bringetax[.]com. This secondary domain acts as the delivery platform for a malicious ScreenConnect installer, disguised as a legitimate tax form file named form_w9.msi.
ScreenConnect, a legitimate remote management utility, is frequently installed by victims without suspicion due to its trusted reputation. Once installed, the attackers gain full, unrestricted “hands-on-keyboard” access to the compromised machine via a trial cloud instance. This bypasses typical enterprise approval processes and IT oversight, providing a direct conduit for further malicious activities.
Huntress researchers identified this campaign during routine threat hunting, discovering over 60 suspicious ScreenConnect sessions across their client base. What initially appeared as isolated remote tool activity quickly revealed itself as a coordinated, multi-stage operation. The attack employs a deeply layered payload specifically engineered to completely neutralize endpoint security tools. Based on observed post-access behaviors, the ultimate goals of this campaign appear to be either the deployment of ransomware or the sale of initial access to other threat actors.
Inside the BYOVD EDR Kill Mechanism
Upon gaining initial access through ScreenConnect, the attackers deploy a multi-stage crypter known as FatMalloc, executed from ScreenConnect’s working directory. To maintain persistence and resilience against partial remediation attempts, they also install backup tools like FleetDeck, often establishing two to three relay instances per host.
The final and most critical payload is HwAudKiller. This component leverages a previously undocumented Huawei audio driver (HWAuidoOs2Ec.sys) to disable leading endpoint detection and response (EDR) solutions, including Windows Defender, Kaspersky, and SentinelOne, directly from kernel mode.
Once the EDR defenses are neutralized, the attackers proceed to dump LSASS credentials and utilize NetExec to harvest accounts across the network. This pattern of credential harvesting and lateral movement is highly consistent with pre-ransomware activities, indicating a strong likelihood of subsequent ransomware deployment.
Evasion Techniques of FatMalloc
FatMalloc employs several sophisticated techniques to evade detection:
- Memory Allocation Trick: The crypter begins by allocating and then immediately freeing 2GB of memory. This tactic is designed to overwhelm and time out antivirus emulators, which cannot afford to simulate such a large memory operation, preventing them from reaching the actual payload. Sandboxes with limited memory will fail this allocation, causing the malware to exit silently without revealing its true nature.
- Indirect Shellcode Execution: FatMalloc executes its shellcode indirectly using the Windows multimedia timer API. Instead of creating a new, easily detectable thread, the crypter passes the shellcode’s address as user data to the
timeSetEventfunction. This invokes the shellcode through a callback after 100 milliseconds, making the execution appear to originate fromwinmm.dlland bypassing security tools that monitor direct thread creation.
The shellcode then decrypts itself using a block-based XOR method before decompressing the HwAudKiller payload into memory using LZNT1 compression.
HwAudKiller’s Kernel-Mode Evasion
HwAudKiller drops the Huawei audio driver (HWAuidoOs2Ec.sys) to disk, renaming it as Havoc.sys, and registers it as a kernel service. Crucially, this driver possesses a valid Huawei digital signature, allowing Windows to load it without triggering security alerts.
The tool then continuously loops through all running processes every 100 milliseconds. It sends the process IDs (PIDs) of targeted security processes to the driver via IOCTL 0x2248DC. The driver, operating in kernel mode, calls ZwTerminateProcess to kill 23 specific security processes, effectively bypassing all user-mode protections implemented by these EDR solutions.
Broader Campaign Indicators
Beyond the tax-themed lures, the threat actor’s exposed open directory also revealed a fake Google Chrome update page containing Russian-language JavaScript comments, suggesting a Russian-speaking developer behind the operation. Both the tax and Chrome update lures pull their payloads from the same 4sync file-sharing infrastructure. This indicates that these are not isolated incidents but rather components of an organized, multi-front social engineering campaign.
What You Should Do
- Verify Sources for Tax Forms: Always download official tax forms directly from IRS.gov or other verified government websites. Exercise extreme caution with sponsored search results, especially those purporting to offer government documents.
- Scrutinize Remote Monitoring Tools: IT teams should implement strict allowlisting policies for approved Remote Monitoring and Management (RMM) tools. Any trial instance of ScreenConnect, particularly those exhibiting “instance-*” relay patterns, should be flagged as highly suspicious and investigated immediately.
- Monitor Kernel Driver Creation: Configure Sysmon Event IDs 6 (Driver Loaded) and 7045 (Service Installed) to alert on kernel driver creation, especially from temporary directories.
- Investigate Untrusted Executables: Any unsigned binary executed from a legitimate application’s working path, such as ScreenConnect’s directory, warrants immediate and thorough investigation.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.