Malvertising Campaign - Tax Ads Lead to EDR Killer Deployment

What Happened

Every April, millions of Americans scramble to file their taxes, and cybercriminals are ready to exploit this urgency. A large-scale malvertising campaign has been active since January 2026, using fake tax form pages advertised through Google Ads. Victims searching for W-2 and W-9 documents are led to rogue landing pages that mimic legitimate IRS compliance portals. Once users click on these ads, they are redirected to malicious sites that ultimately deploy a kernel-mode EDR killer on their machines.

The attack begins innocently enough. A victim types "W2 tax form" into Google, clicks on a sponsored link, and ends up at anukitax[.]com, which redirects them to bringetax[.]com. Here, they unknowingly download a rogue ScreenConnect installer named form_w9.msi. ScreenConnect is a legitimate remote management tool, which makes it easier for attackers to gain access without raising suspicion.

Who's Being Targeted

This campaign primarily targets U.S. individuals, including employees, freelancers, and small business owners, who are actively searching for tax documents. The attackers are banking on the rush to file taxes, knowing that many will be less cautious during this busy season. Huntress researchers identified the campaign while conducting retrospective threat hunting, tracing over 60 rogue ScreenConnect sessions across their customer base.

Once attackers gain access through ScreenConnect, they can execute a multi-stage operation that blinds endpoint security tools. The ultimate goal appears to be either deploying ransomware or selling initial access to other malicious actors. This organized operation is not a standalone attack; it runs multiple social engineering fronts simultaneously.

Signs of Infection

Once inside the target machine, attackers deploy a multi-stage crypter called FatMalloc. This crypter uses a clever trick to evade detection by allocating large amounts of memory, which causes antivirus emulators to time out. If the security checks pass, FatMalloc executes its shellcode indirectly, making it difficult for security tools to monitor the process.

The final payload, known as HwAudKiller, uses a previously undocumented Huawei audio driver to terminate security processes like Windows Defender and Kaspersky from kernel mode. By bypassing user-mode protections, attackers can harvest credentials and run commands across the network, a behavior consistent with pre-ransomware tactics.

How to Protect Yourself

To stay safe, users should only download tax forms directly from IRS.gov and be cautious of sponsored search results for government documents. IT teams should allowlist approved remote management tools and flag any suspicious ScreenConnect instances. Monitoring Sysmon Event IDs 6 and 7045 can help detect kernel driver creation from temporary directories. Any unsigned binaries executed from ScreenConnect’s working path should be investigated immediately.

By understanding the tactics used in this campaign, individuals and organizations can better protect themselves from falling victim to these sophisticated attacks. Cybersecurity awareness is crucial, especially during high-stakes periods like tax season.