A large-scale malvertising campaign has been identified targeting users searching for tax-related documents, leading to the deployment of remote access malware and advanced security evasion tools.
The campaign, active since early 2026, was analyzed by Huntress, revealing how attackers are abusing online advertisements to distribute malicious software disguised as legitimate tax resources.
Malicious Ads Target Tax-Related Searches
The attack begins when users search for terms like tax forms or financial documents on search engines. Sponsored results redirect victims to fraudulent websites that appear legitimate but are designed to deliver malware.
These deceptive pages host fake installers for ConnectWise ScreenConnect, a legitimate remote access tool that is being misused by attackers to gain control over compromised systems.
Cloaking Techniques to Evade Detection
To avoid detection by security systems and ad review processes, the attackers employ layered cloaking mechanisms. These include:
- Client-side fingerprinting to identify real users
- Server-side filtering to block bots and scanners
Commercial cloaking services such as Adspect and JustCloakIt are used together to ensure that only targeted victims receive the malicious payload, while security tools are shown harmless content.
Multi-Layered Attack Chain
Once the victim installs the malicious ScreenConnect package, attackers establish remote access and deploy additional tools to maintain persistence.
In several cases, multiple remote monitoring and management (RMM) tools, including FleetDeck, were installed on the same system to ensure continued access even if one method is removed.
BYOVD Technique to Disable Security Software
A key element of this campaign is the use of the bring your own vulnerable driver (BYOVD) technique. Attackers deploy a tool known as HwAudKiller, which leverages a legitimate but vulnerable Huawei kernel driver.
Huawei’s signed driver allows the malware to operate at the kernel level, enabling it to terminate processes associated with security solutions such as Microsoft Defender and other endpoint protection tools.
Because the driver is digitally signed, it bypasses standard Windows security mechanisms, making detection significantly more difficult.
Credential Theft and Lateral Movement
After disabling security defenses, attackers proceed with credential harvesting by extracting sensitive data from system memory. Tools are also used for network reconnaissance and lateral movement, allowing the attackers to expand their access within the environment.
These behaviors indicate that the campaign may be linked to initial access brokers or pre-ransomware operations, where attackers prepare systems for future exploitation or sale of access.
Advanced Evasion Using Crypters
The malware also employs a crypter designed to evade antivirus detection. One technique involves allocating large amounts of system memory, which disrupts analysis by security tools and sandboxes.
This approach makes it harder for defenders to identify malicious behavior during early stages of execution.
Possible Attribution and Threat Evolution
Although the threat actor behind the campaign remains unidentified, evidence suggests links to a Russian-speaking developer based on artifacts found in the attack infrastructure.
Researchers emphasize that this campaign demonstrates how readily available tools can be combined to create highly effective attack chains without requiring advanced custom exploits.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
