A large-scale malvertising campaign since January 2026 has used Google Ads to lure U.S. tax-searching victims into downloading rogue ConnectWise Control installers that deploy a BYOVD EDR killer called HwAudKiller. The attackers employ stacked cloaking services (Adspect and JustCloakIt) and a legitimately signed Huawei driver (HWAuidoOs2Ec.sys) to blind EDRs, enable LSASS credential dumping, and facilitate further compromise. #HwAudKiller #ConnectWiseControl
Keypoints
- The campaign uses Google Ads and tax-related lures to route victims to malicious landing pages.
- Stacked cloaking with Adspect and JustCloakIt ensures benign content for scanners while serving payloads to real users.
- Rogue ScreenConnect installers drop a crypter and the BYOVD EDR killer HwAudKiller that leverages HWAuidoOs2Ec.sys.
- HwAudKiller terminates EDR processes from kernel mode, enabling LSASS dumping, network reconnaissance, and lateral movement.
- Evidence of Russian-language comments and rapid stacking of RMM tools suggests pre-ransomware or initial access broker activity.
Read More: https://thehackernews.com/2026/03/tax-search-ads-deliver-screenconnect.html