Tax-themed Google Ads are being weaponized to deliver a BYOVD-based EDR killer, with Huntress linking a large-scale malvertising campaign to rogue ScreenConnect deployments and a vulnerable Huawei audio driver used to blind endpoint defenses before hands-on-keyboard activity.
Sponsored Google Ads for queries such as “W2 tax form” and “W‑9 Tax Forms 2026” led to realistic tax-themed landing pages invoking IRS compliance to entice employees, contractors, and small businesses.
Across monitored environments, Huntress observed more than 60 rogue ScreenConnect sessions tied to this activity, confirming Google Ads as the initial access vector rather than email phishing or exploit kits.
Once a victim clicked the ad, traffic flowed through domains like anukitax[.]com and bringetax[.]com, ultimately dropping a ScreenConnect MSI hosted on 4sync that established remote access under default trial-cloud parameters (instance-* relays, y=Guest roles), a strong signal of unauthorized RMM usage.
Huntress’ retrospective hunting revealed an ongoing malvertising operation active since at least January 2026, focused on U.S. users urgently searching for IRS tax forms like W‑2 and W‑9 around filing season.
The same open directories also exposed a fake Chrome update page served from shared infrastructure, indicating the operator runs multiple lure templates in parallel, switching between tax and browser-update themes while reusing the same backend.
Dual-layer cloaking and infrastructure
To keep malicious ads live, the operators stacked two commercial cloaking services: Adspect on the client side and JustCloakIt (JCI) on the server side.
When the victim clicks the update button, the JavaScript fetches the victim’s IP address and geolocation via ipapi.co and sends a real-time notification to the operator’s Telegram bot, with the victim’s IP, country, and referring URL, giving the threat actor immediate visibility into each successful download.
Adspect’s JavaScript-based Traffic Distribution System fingerprints visitors by enumerating window and navigator properties, DOM attributes, WebGL GPU strings, iframe status, and DevTools usage, then posts this profile to rpc. adspect[.]net for a verdict on whether to serve a payload, proxy content, redirect, or fall back to a benign “safe page.”
This allows Google reviewers, VirusTotal, and other scanners to consistently see harmless content while real users on real hardware are funneled to malware.
The second layer, implemented via jcibj[.]com, ties directly to JustCloakIt through a shared TLS certificate covering jcibj[.]com, bjtrck[.]com, and justcloakit subdomains, and receives POSTed visitor metadata including IP, User-Agent, referer, and Google Ads gclid parameters.
JCI’s backend assigns per-operator verdicts, ensuring only monetizable traffic reaches the ScreenConnect and payload infrastructure.
This commercial cloaking stack, marketed openly with “no content rules,” turns takedowns into a cat-and-mouse game where platforms struggle ever to see the malicious branch of the campaign.
On compromised hosts, the initial ScreenConnect session was used to drop and execute crypteds.exe, a MinGW-built multi-stage crypter dubbed “FatMalloc” that ultimately loads HwAudKiller in memory.
FatMalloc first allocates and zeroes 2 GB of memory before freeing it, a tactic that breaks low-resource sandboxes and causes AV emulators to time out before they reach the real decryption logic.
If this check succeeds, it marks an embedded shellcode blob as executable, decrypts it with a block-based XOR scheme, and uses the Windows timeSetEvent API with a callback wrapper to execute the shellcode indirectly from winmm.dll, sidestepping common heuristics around threads created on RWX memory.
After decryption and decompression with RtlDecompressBuffer, the result is HwAudKiller, a memory-resident BYOVD tool whose PDB path (“HwAudKiller.pdb”) and console banner (“Havoc Process Terminator”) reveal its internal naming.
HwAudKiller deploys a legitimate Huawei audio driver (HWAuidoOs2Ec.sys) as Havoc.sys under a kernel service named “Havoc,” then repeatedly enumerates processes and uses IOCTL 0x2248DC over .HWAudioX64 to kill a hard-coded list of Defender, Kaspersky, SentinelOne, and system processes from kernel mode.
Huawei audio driver abuse
Huntress assesses this as the first public case of this signed Huawei audio driver being abused as a BYOVD weapon, noting it is absent from LOLDrivers, Microsoft’s driver block list, and prior reporting.
The driver exposes an IOCTL handler that takes a caller-supplied PID, opens it with PROCESS_ALL_ACCESS via ZwOpenProcess, and immediately calls ZwTerminateProcess without validating the target, granting arbitrary kernel-mode kill capability to userland code that can load the driver.
The loader shellcode then resolves APIs via obfuscated “Y”‑prefixed names and parses a CHOC configuration block that defines compressed payload size, XOR key, and an LZNT1-compressed final PE.
Because the binary is properly signed by Huawei Device Co., Ltd., Windows loads it without complaint, allowing attackers to bypass user-mode tamper protection and self-defense features in EDR products.
Once visibility is stripped away, intruders quickly pivot to credential theft and lateral movement: Huntress observed LSASS dumping via comsvcs.dll and rundll32, followed by network scanning and mass credential harvesting with NetExec modules like lsassy and –dpapi across multiple hosts.
A second intrusion using a variant named sent.exe extended the kill list to FortiEDR processes, albeit with a minor string-termination bug, reflecting active and iterative development.
These behaviors align with pre-ransomware or initial access broker tradecraft, where blinded EDR, harvested credentials, and resilient RMM access are monetized through either direct encryption or resale of access.
Key detection points sit at the edges of this chain: unexpected ScreenConnect instances using trial instance-* relays or default y=Guest sessions, especially when multiple relays and backup RMMs like FleetDeck appear on the same host in quick succession.
Security teams should monitor ScreenConnect working folders such as C:WindowsSystemTempScreenConnect
At the kernel layer, alerts on new type=kernel services created from %TEMP% (for example, a service named “Havoc” loading Havoc.sys) using telemetry like Sysmon Event ID 6 and Event ID 7045 can surface BYOVD attempts.
Given the tax and browser-update themes, user awareness remains crucial: staff should be reminded that sponsored search results even for government forms are not inherently trustworthy and that downloads for tax documents or browser updates should come only from official sites (IRS.gov, vendor portals, managed software distribution).
Finally, organizations should adopt RMM allowlisting, approving only known domains and tools and treating any unapproved ScreenConnect relay or ad-driven installation as a likely compromise requiring immediate triage and threat hunting.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
