Malware - Tax Search Leads to Kernel-Mode AV/EDR Kill
Basically, hackers trick people searching for tax forms to download harmful software that disables their security tools.
A new malvertising campaign exploits tax season searches to deliver malware that disables antivirus tools. Targeting U.S. users, this attack risks credential theft and system compromise. Stay vigilant and verify sources before downloading any files.
What Happened
As tax season approaches, many individuals search for necessary forms like W-2 and W-9. Threat actors have exploited this urgency by launching a malvertising campaign that uses Google Ads to serve malicious links. The Huntress Tactical Response team discovered this campaign, which has been active since January 2026. Users searching for tax-related documents are redirected to fake landing pages that appear legitimate but ultimately deliver rogue ScreenConnect installers. This attack chain is designed to bypass security measures and gain unauthorized access to victims' systems.
The campaign employs dual cloaking techniques, ensuring that security scanners and ad reviewers see a harmless page. In contrast, real victims are served the malicious payload. The final stage of the attack uses an undocumented Huawei audio driver to kill security processes from kernel mode, effectively blinding antivirus and endpoint detection and response (EDR) tools. This sophisticated approach allows attackers to operate undetected while executing further malicious actions.
Who's Being Targeted
The primary targets of this campaign are U.S.-based individuals searching for tax forms. This includes employees, freelancers, contractors, and small businesses. The lure of tax-related documents is particularly effective, as many users are under time pressure and may not scrutinize the search results closely. The attackers have reported over 60 instances of rogue ScreenConnect sessions linked to this campaign, indicating a significant impact on victims who fell for the bait.
Beyond the tax-themed lures, the threat actor's exposed directory revealed additional tactics, including a fake Chrome update page. This suggests that the attackers are not just focused on tax-related scams but are operating a broader social engineering toolkit designed to capture unsuspecting users across various platforms.
Signs of Infection
Victims may notice several signs indicating a potential infection. If a user has downloaded a rogue ScreenConnect installer, they might experience unusual system behavior, such as unexpected remote access sessions or the sudden unavailability of security tools like Windows Defender or Kaspersky. The malicious payload can also lead to credential dumping and lateral movement within networks, further compromising sensitive data.
Additionally, if users encounter pop-ups or prompts urging them to update their software, especially from unknown sources, they should be cautious. The fake Chrome update lure is particularly deceptive, as it instructs victims to download and execute harmful files under the guise of a necessary update.
How to Protect Yourself
To safeguard against such attacks, users should exercise caution when clicking on links from search results, especially those that appear as ads. Always verify the legitimacy of the website before downloading any files. Using reputable antivirus software and keeping it updated can help detect and prevent such malware infections.
Furthermore, enabling multi-factor authentication (MFA) on accounts can add an extra layer of security. Users should also regularly monitor their accounts for suspicious activity, particularly if they have recently searched for tax-related documents. Being aware of the tactics used by threat actors can empower individuals to protect themselves against these evolving threats.
Huntress Blog