Tuesday 07 July 2026 02:53:05 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

Malware & Botnets

Tax Season Trap: Google Ads Deliver Stealth Malware, Blinds Security with Huawei Driver

Published: 25 March 2026 01:13Category: Malware & BotnetsGeo: North AmericaAuthor: TRUSTBREAKER

Subtitle: Cybercriminals exploit tax-time Google searches to deploy advanced malware that disables security using a legitimate Huawei audio driver.

It’s tax season in America, and for many, that means frantic Google searches for W-2s and tax forms. But this year, a sinister new threat is lurking behind those sponsored search results. An ongoing malvertising campaign, active since January 2026, is tricking unsuspecting users into installing remote access tools-while secretly deploying a powerful piece of malware that disables even the most robust security defenses. The weapon of choice? A legitimate, signed Huawei audio driver, twisted into a tool for cyber sabotage.

Fast Facts

  • Campaign uses Google Ads targeting tax-related searches to distribute malware.
  • Malicious installers drop ScreenConnect and an EDR-killing tool called HwAudKiller.
  • A legitimate Huawei audio driver is used to disable security software at the kernel level.
  • Attackers leverage advanced cloaking services to evade detection.
  • Evidence suggests Russian-speaking threat actors are behind the operation.

Inside the Campaign: From Search to System Compromise

The attack starts innocently enough: a user searches for tax forms-“W2 tax form” or “W-9 Tax Forms 2026”-and clicks on a sponsored Google ad. But instead of a helpful government site, they land on a carefully disguised page, shielded by commercial cloaking services like Adspect and JustCloakIt. These services ensure that only real users, not security scanners or ad reviewers, see the malicious payload.

Once through the digital smokescreen, victims are prompted to download what appears to be a legitimate installer for ScreenConnect (now ConnectWise Control), a popular remote support tool. Unbeknownst to them, this installer is booby-trapped. Upon execution, it unleashes a multi-stage attack: first, establishing multiple ScreenConnect sessions for persistent access; then, deploying additional remote management tools like FleetDeck Agent for redundancy.

The most insidious move comes next. The malware drops a tool dubbed HwAudKiller, which leverages a technique known as BYOVD-“bring your own vulnerable driver.” The attackers use “HWAuidoOs2Ec.sys,” a genuine, signed Huawei kernel driver intended for audio hardware. Because the driver is signed and legitimate, Windows loads it without suspicion-even with strict driver signature enforcement. Once loaded, it grants attackers the power to kill security processes, including Microsoft Defender and other top-tier endpoint detection and response (EDR) tools, directly from the kernel. This effectively blinds the computer’s defenses and clears the way for further compromise, such as credential theft or ransomware deployment.

Forensic analysis revealed more: the attackers used open directories containing fake Chrome update pages, peppered with Russian-language code comments. This, combined with the sophisticated use of commodity tools and off-the-shelf cloaking, points to Russian-speaking cybercriminals skilled in blending legitimate software with malicious intent.

What Makes This Attack Different?

Unlike previous tax-themed malvertising campaigns, this operation stands out for its layered evasion tactics and its exploitation of a previously undocumented vulnerability in a common driver. The stacking of multiple remote access tools and the creative abuse of trusted digital signatures show just how far cybercriminals will go to stay ahead of defenders. The campaign underscores the dark side of the modern cybercrime economy, where readily available commercial services and legitimate software can be weaponized by anyone with the know-how and motive.

Conclusion

As tax season brings a rush of searches and downloads, the line between safe and suspicious has never been thinner. This campaign is a stark reminder: even the most innocuous Google search can be a gateway to advanced cyberattacks, especially when attackers wield legitimate tools as weapons. Stay vigilant-your next click could be the one that opens the door.

WIKICROOK

  • Malvertising: Malvertising is the use of online ads to spread malware, often by tricking users into clicking harmful links-even on trusted websites.
  • BYOVD (Bring Your Own Vulnerable Driver): BYOVD is a cyberattack where hackers use legitimate but insecure drivers to bypass security software and gain control of a computer system.
  • EDR (Endpoint Detection and Response): EDR is security software that monitors endpoint devices for suspicious activity, detects threats in real time, and helps stop cyberattacks quickly.
  • Cloaking Service: A cloaking service hides a website’s true content from security tools, showing malicious material only to real users to evade detection and enable cyberattacks.
  • Kernel Driver: A kernel driver is a core program that enables direct interaction between an operating system and hardware, managing key functions at a low level.