An ongoing malvertising campaign that started in January 2026 has been discovered, targeting individuals in the U.S. who are searching for tax-related documents. The campaign aims to install rogue software that disables security programs using a technique known as bring your own vulnerable driver (BYOVD).

According to Huntress researcher Anna Pham, the campaign utilizes Google Ads to distribute rogue ScreenConnect installers, ultimately delivering a BYOVD EDR killer that blinds security tools by dropping a kernel driver.

During the investigation, the cybersecurity vendor identified more than 60 instances of malicious ScreenConnect sessions associated with the campaign. This attack stands out due to its use of commercial cloaking services to evade detection by security scanners and the exploitation of a previously undocumented Huawei audio driver to bypass security solutions.

Although the exact motives behind the campaign remain unclear, the threat actor has been observed deploying various tactics, including dropping an EDR killer and extracting credentials from the LSASS process memory. These behaviors indicate a potential pre-ransomware or initial access broker strategy, suggesting that the threat actor may be planning to launch ransomware attacks or sell access to other malicious actors.

The attack commences when users search for tax-related terms on search engines like Google, leading them to click on sponsored search results that redirect them to malicious sites. These sites trigger the delivery of the ScreenConnect installer, initiating the compromise process.

To evade detection, the landing page employs a PHP-based Traffic Distribution System (TDS) powered by Adspect, a commercial cloaking service. This ensures that only real victims receive the actual payload, while security scanners and ad review systems are presented with benign content.

By generating a visitor fingerprint and sending it to the Adspect backend, the landing page can tailor its response accordingly. Additionally, the page features a second cloaking layer powered by JustCloakIt (JCI) on the server side, enhancing its ability to avoid detection.

The compromised hosts are used to deploy multiple trial instances of ScreenConnect, as well as additional Remote Monitoring and Management (RMM) tools like FleetDeck Agent to ensure persistent remote access. The ScreenConnect session drops a multi-stage crypter that contains an EDR killer named HwAudKiller, which terminates processes associated with popular security products.

Furthermore, the crypter attempts to evade detection by manipulating memory resources, while the vulnerable driver used in the attack, “HWAuidoOs2Ec.sys,” is a legitimate Huawei kernel driver signed by Windows, allowing it to bypass security checks.

Despite the sophisticated nature of the attack, the identity of the threat actor remains unknown. However, clues found in the threat actor-controlled infrastructure, such as a fake Chrome update page with Russian-language comments, suggest a Russian-speaking developer may be involved in the campaign.

Overall, the campaign highlights how readily available tools can be combined to create complex attack chains. The threat actor behind this campaign leveraged commercial cloaking services, free-tier software instances, and signed drivers with vulnerabilities to execute a multi-stage attack that targets users from Google searches to EDR termination.

As observed on compromised hosts, the threat actor swiftly deploys multiple remote access tools, indicating a persistent and aggressive approach to maintaining access and control over compromised systems.