A large-scale malvertising campaign active since January 2026 has been observed targeting U.S.-based individuals searching for tax-related documents to serve rogue installers for ConnectWise ScreenConnect that drop a tool named HwAudKiller to blind security programs using the bring your own vulnerable driver (BYOVD) technique.
"The campaign abuses Google Ads to serve rogue ScreenConnect (
"The campaign abuses Google Ads to serve rogue ScreenConnect (ConnectWise Control) installers, ultimately delivering a BYOVD EDR killer that drops a kernel driver to blind security tools before further compromise," Huntress researcher Anna Pham said in a report published last week.
The cybersecurity vendor said it identified over 60 instances of malicious ScreenConnect sessions tied to the campaign.
The attack chain stands out for a couple of reasons.
Unlike recent campaigns highlighted by Microsoft that leverage tax-themed lures, the newly flagged activity employs commercial cloaking services to avoid detection by security scanners and abuses a previously undocumented Huawei audio driver to disarm security solutions.
The exact objectives of the campaign are currently not clear; however, in at one instance, the threat actor is said to have leveraged the access to deploy the endpoint detection and response (EDR) killer and then dump credentials from the Local Security Authority Subsystem Service (LSASS) process memory, as well as use tools like NetExec for network reconnaissance and lateral movement.