How a Tax Search Leads to Kernel-Mode AV/EDR Kill
Essential information
- Published
- 19/03/2026 23:58
- Modified
- 20/03/2026 08:16
- Tags
- 2026-03-19 byovd cloaking edr evasion fatmalloc google ads hwaudkiller kernel driver malvertising screenconnect tax lure
- Related entities
- 12 observables, 14 techniques (mitre), 2 malware, 10 others
Description
A large-scale malvertising campaign targeting U.S. tax form searchers has been uncovered. The attack chain begins with Google Ads, using dual commercial cloaking services to evade detection. Victims are directed to rogue ScreenConnect installers, leading to a multi-stage crypter that ultimately deploys a BYOVD (Bring Your Own Vulnerable Driver) tool. This tool, named HwAudKiller, exploits a previously undocumented Huawei audio driver to terminate antivirus and EDR processes from kernel mode. The campaign's sophistication lies in its use of commodity tools and services, combining free-tier ScreenConnect instances, off-the-shelf crypters, and a signed driver with an exploitable weakness. The attackers consistently deploy multiple remote access tools on compromised hosts for redundancy, indicating a likely pre-ransomware or initial access broker operation.