Tax Time Terror: Malicious Ads Unleash Stealthy EDR Killers on Unsuspecting Americans
Subtitle: Cybercriminals weaponize tax form ads and a vulnerable Huawei driver to dismantle security defenses and pave the way for ransomware attacks, Huntress reveals.
It’s tax season in America-a time notorious for stress, paperwork, and now, a sophisticated wave of cyberattacks. As millions of taxpayers search for W-2 and W-9 forms online, threat actors are exploiting this annual scramble, slipping malicious ads into Google’s search results that open the door to devastating network breaches. Behind the scenes, these criminals aren’t just stealing data-they’re bringing their own digital weapons, disabling security, and setting the stage for full-scale ransomware assaults.
Inside the Attack: From Google Ads to Total Compromise
The campaign, uncovered by Huntress, has been active since at least January 2026. Attackers purchase Google Ads that masquerade as links to official tax documents. Unsuspecting users are lured into downloading a rogue version of ScreenConnect-a legitimate remote access tool-unknowingly handing over the keys to their systems.
To evade Google’s ad review, the criminals use commercial cloaking services like Adspect and JustCloakIt. These services show a benign page to automated scanners but redirect real users to the malware. Once inside, the attackers ensure persistence by installing multiple ScreenConnect relays and backup access tools. Even if defenders remove one, the others keep the backdoor open.
The next stage involves a devious piece of malware dubbed FatMalloc. This crypter consumes massive amounts of computer memory, overwhelming antivirus emulators so they time out and miss the threat. It hides its real code using indirect execution-such as the Windows multimedia timer API-and obfuscates its functions by prefixing API calls, making detection even harder.
The final payload is where things get truly dangerous. The attackers drop a legitimate, digitally signed Huawei audio driver (HWAudioOs2Ec.sys) into the system. This driver, intended for sound hardware, contains a fatal flaw: it can terminate any process with kernel-level privileges. The malware, called HwAudKiller, exploits this weakness to systematically kill endpoint detection and response (EDR) agents from vendors like Microsoft, SentinelOne, and Kaspersky, leaving the system defenseless.
With security blinded, the attackers move fast-dumping passwords from memory, moving laterally across networks, and setting the stage for further exploitation. Huntress researchers found clues pointing to Russian-speaking developers, including Cyrillic comments on related fake Chrome update pages.
Defending Against the Invisible Foe
This campaign is a wake-up call for organizations and individuals alike. The use of legitimate tools and drivers, combined with advanced evasion tactics, makes detection and prevention a formidable challenge. Security teams are urged to monitor for unauthorized remote access software, investigate any unusual drivers loading from temporary folders, and remain vigilant-especially during high-risk periods like tax season.
As cybercriminals continue to innovate, the best defense is layered, adaptive, and ever-watchful. In the digital world, even a routine search for tax forms can become the opening act in a cybercrime drama.
WIKICROOK
- Malvertising: Malvertising is the use of online ads to spread malware, often by tricking users into clicking harmful links-even on trusted websites.
- BYOVD (Bring Your Own Vulnerable Driver): BYOVD is a cyberattack where hackers use legitimate but insecure drivers to bypass security software and gain control of a computer system.
- EDR (Endpoint Detection and Response): EDR is security software that monitors endpoint devices for suspicious activity, detects threats in real time, and helps stop cyberattacks quickly.
- Cloaking Service: A cloaking service hides a website’s true content from security tools, showing malicious material only to real users to evade detection and enable cyberattacks.
- Crypter: A crypter is software that hides malware code, helping it evade detection by antivirus and security programs during cyberattacks.




