Tax Search Ads Deliver ScreenConnect Malware Using Huawei Driver to Disable EDR
Summary
A malvertising campaign active since January 2026 is targeting U.S. individuals searching for tax documents via Google Ads. The campaign distributes rogue ScreenConnect installers that deploy HwAudKiller, a tool designed to disable Endpoint Detection and Response (EDR) solutions by leveraging the BYOVD (Bring Your Own Vulnerable Driver) technique, specifically using a Huawei driver.
IFF Assessment
This campaign poses a significant threat to defenders by actively disabling security tools, making it harder to detect and respond to threats.
Defender Context
Defenders should be aware of malvertising campaigns that bundle legitimate software installers with malware, especially those targeting timely events like tax season. The use of BYOVD techniques to disable EDR is a sophisticated evasion tactic that requires robust detection mechanisms capable of identifying driver manipulation.