Malware - Tax Search Ads Deliver ScreenConnect Threat
Basically, bad ads trick people into downloading malware that can disable their security software.
A new malvertising campaign targets tax document searches, delivering malware that disables security tools. Users are at risk of serious breaches. Stay informed and protect your devices.
What Happened
A large-scale malvertising campaign has emerged, targeting individuals searching for tax-related documents in the U.S. Since January 2026, this campaign has been delivering rogue installers for ConnectWise ScreenConnect, a remote access tool. The attackers utilize a technique called bring your own vulnerable driver (BYOVD) to deploy a malicious tool named HwAudKiller. This tool effectively disables endpoint detection and response (EDR) solutions, allowing the malware to operate undetected.
The campaign cleverly abuses Google Ads to present fake ScreenConnect installers in search results. Unsuspecting users searching for terms like "W2 tax form" are led to malicious sites that trigger the installation of the malware. The attackers have been observed using commercial cloaking services to evade detection by security systems, ensuring that only real victims encounter the malicious payload.
Who's Being Targeted
The primary targets of this campaign are U.S.-based individuals searching for tax documents. This demographic is particularly vulnerable, as many are likely to be unaware of the risks associated with clicking on sponsored search results. The attackers have identified a method to ensure their malicious sites appear legitimate, significantly increasing the chances of successful infections.
The malicious ScreenConnect sessions linked to this campaign have been identified over 60 times, indicating a widespread impact. The attackers are not only targeting individual users but may also be looking to exploit their access for further malicious activities, such as deploying ransomware or selling access to other cybercriminals.
Signs of Infection
Users infected with this malware may notice unusual behavior on their systems, particularly if their security software appears to be disabled. The HwAudKiller tool operates by dropping a kernel driver that blinds security tools, making it difficult for users to detect the infection. Additionally, the malware may deploy other remote monitoring and management (RMM) tools, such as FleetDeck Agent, to maintain persistent access.
Indicators of compromise may include unexpected remote access sessions or unauthorized changes to security settings. Users should be vigilant about any suspicious activity on their devices, particularly following interactions with search ads related to tax documents.
How to Protect Yourself
To safeguard against this type of malware, users should exercise caution when clicking on sponsored search results. Always verify the legitimacy of websites before downloading any software. Implementing robust security measures, such as up-to-date antivirus software and firewalls, can also provide an additional layer of protection.
Regularly updating software and operating systems is crucial, as this can help close vulnerabilities that attackers might exploit. Users should also consider using ad blockers to reduce exposure to potentially harmful ads. Finally, educating oneself about common cyber threats can empower users to make safer online choices.
The Hacker News