A sophisticated malvertising campaign is actively leveraging tax season urgency to deploy a potent kernel-mode EDR killer on victim machines. Since at least January 2026, attackers have been using Google Ads to trick individuals searching for tax forms into downloading malicious software. The campaign specifically targets U.S. users seeking W-2 and W-9 documents, employing deceptive websites that mimic official IRS portals to ensnare employees, freelancers, and small business owners during the critical tax filing period.
The attack chain initiates with a seemingly innocuous search query. When a user searches for terms like “W2 tax form” on Google, a sponsored advertisement directs them to anukitax[.]com. This site then redirects to bringetax[.]com, the primary distribution point for a rogue ScreenConnect installer disguised as “form_w9.msi.” ScreenConnect is a legitimate remote management tool, making its installation appear harmless to unsuspecting users. Once deployed, attackers gain complete hands-on-keyboard access to the compromised device, often through a trial cloud instance, bypassing standard enterprise security protocols and IT oversight.
Huntress Uncovers Extensive BYOVD EDR Killer Campaign
Cybersecurity researchers at Huntress identified this widespread malvertising campaign through routine threat hunting. The investigation traced over 60 compromised ScreenConnect sessions across their customer base, uncovering a meticulously coordinated, multi-stage operation. The campaign’s ultimate objective, based on post-access activities observed, appears to be either ransomware deployment or initial access brokerage for other threat actors.
Following initial access via ScreenConnect, attackers deploy a multi-stage crypter known as FatMalloc. They also utilize backup tools like FleetDeck, often establishing two to three relay instances on a single host to maintain persistence even after partial remediation efforts. The final payload, dubbed HwAudKiller, leverages a previously undocumented Huawei audio driver to disable key endpoint security solutions, including Windows Defender, Kaspersky, and SentinelOne, directly from kernel mode. This allows attackers to steal credentials from LSASS and escalate their network presence using tools like NetExec, a pattern strongly indicative of pre-ransomware activity.
Further analysis of an exposed open directory associated with the threat actor revealed additional deceptive tactics. This included a fake Google Chrome update page containing Russian-language JavaScript comments, suggesting a Russian-speaking developer. Crucially, both the tax-themed lures and the fake Chrome update pages pulled their malicious payloads from the same 4sync file-sharing infrastructure. This finding confirms that the campaign is not an isolated incident but rather a part of a larger, organized operation employing multiple social engineering fronts simultaneously.
Inside the BYOVD EDR Kill Mechanism
Upon gaining entry, the attackers execute FatMalloc (crypteds.exe) directly from the ScreenConnect working directory. FatMalloc employs a significant memory allocation strategy: it reserves and fills 2GB of memory with zeros before releasing it. This tactic is designed to overwhelm and cause timeouts in antivirus emulators, which struggle to simulate such a large memory operation and thus fail to detect the actual malicious payload. Sandboxes with limited memory resources will fail this allocation entirely, causing the malware to exit silently without raising suspicion.
Should the memory allocation check pass, FatMalloc proceeds to execute its shellcode indirectly. It utilizes the Windows multimedia timer API, specifically the `timeSetEvent` function. Instead of creating a new thread, which is a common target for security monitoring, the crypter passes the shellcode’s address as user data to `timeSetEvent`. This function then invokes the shellcode via a callback after a brief delay of 100 milliseconds. Security tools focused on direct thread creation will miss this execution, as it appears to originate legitimately from the `winmm.dll` library.
The injected shellcode then decrypts itself using a block-based XOR method. Following decryption, it decompresses the final HwAudKiller payload into memory using the LZNT1 compression algorithm. HwAudKiller then drops the Huawei audio driver, identified as `HWAuidoOs2Ec.sys`, onto the disk and registers it as a kernel service under the name `Havoc.sys`. The driver’s validity is further enhanced by a legitimate Huawei digital signature, allowing Windows to load it without triggering security alerts.
Once the malicious driver is active in kernel mode, HwAudKiller initiates a routine to scan all running processes every 100 milliseconds. It identifies and sends the Process IDs (PIDs) of 23 targeted security processes to the driver via an IOCTL command (`0x2248DC`). The driver then uses `ZwTerminateProcess` from within the kernel to forcibly end these security processes, effectively bypassing all user-mode defenses and disabling critical security software.
To mitigate the risks associated with such campaigns, individuals should exclusively download tax forms directly from the official IRS.gov website and exercise extreme caution when encountering sponsored search results for government-related documents. For IT security teams, it is crucial to maintain an allowlist of approved Remote Management and Monitoring (RMM) tools and to flag any ScreenConnect trial instances as suspicious, especially those exhibiting specific relay patterns. Sysmon Event IDs 6 and 7045 should be configured to alert on kernel driver creation originating from temporary directories. Furthermore, any unsigned binary executed from a ScreenConnect working path warrants immediate and thorough investigation.