Every April, millions of Americans rush to file taxes before the deadline — and attackers count on it.
A large-scale malvertising campaign, active since at least January 2026, has been exploiting that urgency by placing fake tax form pages through Google Ads, ultimately deploying a kernel-mode EDR killer on victim machines.
The campaign targeted U.S. individuals searching for W-2 and W-9 documents, with rogue landing pages mimicking IRS compliance portals to snare employees, freelancers, and small business owners during filing season.
The attack starts with a simple search. When a victim types “W2 tax form” into Google, a sponsored result leads them to anukitax[.]com, which redirects to bringetax[.]com — the actual delivery page for a rogue ScreenConnect installer named form_w9.msi.
ScreenConnect is a legitimate remote management tool, which is why victims install it without hesitation.
Once active, the attacker gains full hands-on-keyboard access to the machine through a trial cloud instance, with no enterprise approval or IT oversight.
Huntress researchers identified this campaign during routine retrospective threat hunting, tracing over 60 rogue ScreenConnect sessions across their customer base.
What started as suspicious remote tool activity revealed itself as a coordinated, multi-stage operation with a deeply layered payload designed to blind endpoint security tools entirely.
The ultimate objective — based on post-access behavior — points toward either ransomware deployment or initial access brokerage.
After gaining entry through ScreenConnect, the attacker deployed a multi-stage crypter called FatMalloc alongside backup tools like FleetDeck, stacking two to three relay instances per host to survive partial remediation.
The final payload, HwAudKiller, uses a previously undocumented Huawei audio driver to kill Windows Defender, Kaspersky, and SentinelOne from kernel mode.
Once defenses were down, attackers dumped LSASS credentials and ran NetExec across the network to harvest accounts at scale — a pattern consistent with pre-ransomware behavior.
Beyond the tax-themed lures, the threat actor’s exposed open directory also revealed a fake Google Chrome update page laced with Russian-language JavaScript comments, pointing to a Russian-speaking developer.
Both lure types pulled payloads from the same 4sync file-sharing infrastructure, confirming this is not a standalone campaign but an organized operation running multiple social engineering fronts simultaneously.
Inside the BYOVD EDR Kill Mechanism
Once inside the target machine, the attacker executed FatMalloc (crypteds.exe) directly from ScreenConnect’s working directory.
FatMalloc opens by allocating 2GB of memory and filling it with zeros before releasing it — a trick that forces antivirus emulators to time out before ever reaching the real payload, since they cannot afford to simulate such a massive memory operation.
.webp)
Sandboxes with limited memory fail the allocation entirely, causing the malware to exit silently without revealing itself.
If that check passes, FatMalloc executes its shellcode indirectly using the Windows multimedia timer API.
Instead of spawning an obvious new thread, the crypter passes the shellcode’s address as user data to timeSetEvent, which invokes it through a callback after 100 milliseconds.
.webp)
Security tools monitoring direct thread creation miss this entirely, since execution appears to originate from winmm.dll.
The shellcode then decrypts itself using a block-based XOR method before decompressing the final HwAudKiller payload into memory using LZNT1.
HwAudKiller drops the Huawei audio driver (HWAuidoOs2Ec.sys) to disk as Havoc.sys and registers it as a kernel service. Because the driver carries a valid Huawei digital signature, Windows loads it without complaint.
.webp)
The tool then loops through all running processes every 100 milliseconds, sending matching PIDs to the driver via IOCTL 0x2248DC.
The driver calls ZwTerminateProcess from kernel mode to kill 23 targeted security processes — bypassing all user-mode protections.
Users should only download tax forms directly from IRS.gov and treat sponsored search results for government documents with caution.
IT teams should allowlist approved RMM tools and flag any ScreenConnect trial instance — particularly those using instance-* relay patterns — as suspicious.
Sysmon Event IDs 6 and 7045 should alert on kernel driver creation from TEMP directories. Any unsigned binary executed from ScreenConnect’s working path deserves immediate investigation.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
