A sophisticated <a href="https://delimiter.online/blog/cybersecurity-threats-6/” title=”malvertising”>malvertising campaign has been targeting individuals in the United States since January 2026. The operation uses manipulated Google search advertisements for tax-related documents to distribute malicious installers for ConnectWise ScreenConnect software. These installers deploy a tool designed to disable endpoint security products on compromised computers.
Campaign Mechanics and Technical Details
The threat actors behind this campaign have purchased Google Ads that appear when users search for terms related to tax forms or filing software. These ads lead to websites that host tampered versions of the legitimate remote access tool, ScreenConnect. When a user downloads and runs the installer, it executes a multi-stage attack.
The primary payload is a tool security researchers have named “HwAudKiller.” This tool exploits a legitimate but vulnerable driver from Huawei to carry out a Bring Your Own Vulnerable Driver (BYOVD) attack. The BYOVD technique involves using a signed driver with known security flaws to gain high-level system privileges and then manipulate the operating system’s kernel.
Impact on Security Software
Once HwAudKiller gains kernel-level access, its function is to locate and disable Endpoint Detection and Response (EDR) software and antivirus programs. By blinding these security solutions, the attackers create a persistent backdoor on the system. This allows them to deploy additional malware, such as information stealers or ransomware, without detection.
ConnectWise ScreenConnect is a widely used remote desktop application for IT support and administration. Its misuse in this campaign is significant because the software is inherently trusted by many organizations and individuals, making malicious installers less likely to raise immediate suspicion.
Scope and Attribution
The campaign has been active for several months and specifically targets users in the U.S. during the tax filing season. This timing capitalizes on increased online searches for tax documentation and software. While the exact group responsible is currently unidentified, the scale and technical execution suggest a financially motivated, sophisticated operation.
Security firms tracking the campaign have notified Google’s threat intelligence teams. The malicious advertisements are being removed as they are identified, but new ones frequently appear, a common challenge in combating malvertising.
Recommended Protective Measures
Security experts advise individuals and businesses to exercise extreme caution when clicking on online advertisements, even those from major search engines. They recommend downloading software only from official vendor websites or trusted distributors. Furthermore, maintaining updated EDR solutions that can detect and block driver-based attacks is critical for defense.
Organizations using ScreenConnect are urged to verify the integrity of their installations and monitor for unusual network activity originating from endpoints using the software. Applying the principle of least privilege to user accounts can also help limit the damage from such exploits.
Ongoing Response and Future Outlook
Google continues to work on detecting and removing the malicious advertisements associated with this campaign. ConnectWise has acknowledged the misuse of its brand and software in these attacks, directing users to its official security advisories and download portals. Law enforcement agencies in the U.S. have been briefed on the campaign’s details.
In the coming weeks, security researchers expect to see further analysis of the HwAudKiller tool and its connection to other malware families. The incident underscores a persistent trend where cybercriminals exploit trusted software brands and digital advertising platforms to reach a wide pool of potential victims with highly effective social engineering lures.
Source: Adapted from cybersecurity research reports.
