Tax Season Scams Evolve: How Attackers Are Blinding Your Security Software
As the tax filing deadline approaches, a sophisticated malvertising campaign is leveraging Google Ads to deliver malware, and it’s not just phishing anymore. This campaign, active since January 2026, targets individuals searching for tax documents, using a multi-layered attack that bypasses traditional security measures. The core of the threat? Rogue installers for ConnectWise ScreenConnect, coupled with a novel technique to disable endpoint detection and response (EDR) systems.
The Attack Chain: From Search to System Compromise
The attack begins innocently enough: a user searches for common tax forms like W-2 or W-9 on Google. Sponsored search results lead to deceptive websites, such as bringetax[.]com/humu/, designed to deliver a malicious ScreenConnect installer. But this isn’t a simple download. The attackers are employing advanced tactics to evade detection.
First, the landing pages utilize dual commercial cloaking services – Adspect and JustCloakIt – to present a benign page to security scanners and ad review systems. Only actual visitors see the malicious payload. This layered approach significantly increases the chances of bypassing initial security checks. Adspect uses client-side JavaScript fingerprinting, although JustCloakIt operates server-side, creating a robust filtering system.
Once the ScreenConnect installer is downloaded, the attackers gain hands-on-keyboard access through trial instances. They then deploy multiple instances of ScreenConnect, and even backup Remote Monitoring and Management (RMM) tools like FleetDeck Agent, to ensure persistent access.
BYOVD: The Latest EDR Killer
What truly sets this campaign apart is the use of a “bring your own vulnerable driver” (BYOVD) technique. The attackers are exploiting a signed Huawei kernel driver, “HWAuidoOs2Ec.sys,” designed for laptop audio hardware. This legitimate driver is abused to terminate processes associated with Microsoft Defender, Kaspersky, and SentinelOne directly from kernel mode, effectively blinding security tools.
Due to the fact that the driver is legitimately signed by Huawei, Windows loads it without complaint, even with Driver Signature Enforcement enabled. This bypasses a critical security layer, allowing the malware to operate undetected. A multi-stage crypter, allocating and freeing 2GB of memory, further evades antivirus detection by overwhelming system resources.
Beyond Tax Forms: A Broader Toolkit?
While the initial lure focuses on tax-related searches, evidence suggests a broader social engineering toolkit. An exposed directory revealed a fake Chrome update page with JavaScript comments in Russian, hinting at a Russian-speaking developer and the potential for wider-scale attacks. This suggests the tax-themed campaign may be just one facet of a larger operation.
What Does This Mean for the Future of Cybersecurity?
This campaign highlights a worrying trend: the increasing sophistication of attacks leveraging readily available tools. Attackers are no longer reliant on custom exploits or nation-state capabilities. They are combining commercial cloaking services, free-tier software, and vulnerabilities in legitimate drivers to create highly effective kill chains.
The use of BYOVD techniques is particularly concerning. It demonstrates a shift towards exploiting trusted components to bypass security measures. This will likely lead to increased scrutiny of driver signing practices and a greater emphasis on kernel-level security.
The rapid stacking of multiple remote access tools – multiple ScreenConnect instances and backup RMM tools – underscores the importance of comprehensive threat hunting and detection capabilities. Organizations demand to be able to identify and respond to these types of persistent access attempts.
FAQ
Q: What is ScreenConnect?
A: ScreenConnect (ConnectWise Control) is a legitimate remote support software tool used by IT professionals. However, attackers are abusing it to gain unauthorized access to systems.
Q: What is BYOVD?
A: BYOVD stands for “bring your own vulnerable driver.” It’s a technique where attackers exploit vulnerabilities in legitimate, signed drivers to bypass security measures.
Q: How can I protect myself from this campaign?
A: Be cautious of sponsored search results, especially when searching for sensitive documents. Ensure your security software is up-to-date and consider implementing kernel-level security monitoring.
Q: Is this attack limited to the United States?
A: The campaign is currently targeting U.S.-based individuals, but the techniques used could be adapted for use in other regions.
Did you know? The attackers are using a Huawei driver to disable security software, highlighting the potential risks associated with even trusted software components.
Pro Tip: Regularly audit your systems for unauthorized remote access tools and monitor for unusual driver activity.
Stay informed about the latest cybersecurity threats and best practices. Explore our other articles on endpoint security and threat detection to learn more about protecting your systems.
