Tax Search Ads Deliver ScreenConnect Malware through a large malvertising campaign. Researchers observed the activity starting in early 2026. However, the attackers specifically targeted users searching for tax forms.
The campaign used sponsored search results to lure victims. For example, users searching for “W-2 tax form” saw malicious ads. Therefore, many users clicked without suspecting danger.
The attackers aimed to install remote access tools. As a result, they gained control of infected systems. Researchers linked the activity to over 60 malicious sessions.
Malicious Ads and Fake Websites
The attack begins with fake search ads. These ads lead users to deceptive websites. However, the pages look similar to legitimate tax resources.
The attackers used cloaking techniques to hide malicious content. For example, security scanners saw harmless pages. However, real users received malware downloads. The campaign used layered cloaking systems. Therefore, detection became much harder. One system filtered traffic on the server side first.
Another system analyzed visitors through browser fingerprinting. Therefore, it delivered payloads only to real victims. This approach helped attackers avoid security checks.
ScreenConnect Installer Used as Entry Point
The fake websites delivered a rogue installer. This installer pretended to be a legitimate remote support tool. However, it installed hidden components in the background.
The installer deployed multiple remote access sessions. Therefore, attackers maintained persistent access to the system. They also added backup tools for redundancy. For example, additional monitoring tools ensured continued control. As a result, removing one tool did not stop the attack. Attackers quickly reconnected using others.
HwAudKiller Disables Security Tools
A key part of the attack is a tool called HwAudKiller. This tool disables endpoint security systems. Therefore, it allows further malicious activity.
The malware uses a vulnerable signed driver. Specifically, it loads a legitimate Huawei audio driver. Because the driver is trusted, the system accepts it. Once active, the driver operates at kernel level. Therefore, it can terminate security processes directly. It bypasses protections used by antivirus tools.
This method is known as BYOVD. It allows attackers to exploit trusted drivers. As a result, they disable defenses without raising alerts.
Advanced Evasion Techniques
The malware also uses a crypter to avoid detection. For example, it allocates large amounts of memory. Then, it fills the memory with empty data.
This behavior overwhelms security engines. Therefore, some detection tools fail to analyze the malware. As a result, the attack continues undetected. The attackers also used social engineering techniques. They created convincing fake pages and tools. Therefore, users trusted the process and installed the malware.
Possible Goals of the Campaign
Researchers believe the attackers aim to steal credentials. For example, they extracted data from system memory. They also performed network reconnaissance.
These actions suggest preparation for ransomware attacks. However, attackers may also sell access to other criminals. Therefore, the campaign supports multiple criminal goals.
The infrastructure revealed signs of Russian-language development. However, the exact identity of the attackers remains unknown. Still, the methods show a high level of organization.
How to Prevent Malvertising and BYOVD Attacks
Users should avoid clicking on sponsored links for sensitive searches. Instead, they should access official websites directly. However, awareness alone is not enough.
Organizations should deploy advanced endpoint detection and response systems. These tools can detect unusual kernel-level activity. In addition, managed detection services can monitor suspicious remote access sessions in real time. Regular vulnerability assessments also help identify risky drivers and exposed systems. Therefore, companies can reduce the impact of malvertising and BYOVD attacks.
Sleep well, we got you covered.
