A large-scale malvertising campaign active since January 2026 has been observed targeting U.S.-based individuals searching for tax-related documents to deliver rogue installers for ConnectWise ScreenConnect that drop a tool named HwAudKiller to blind security programs using the BYOVD technique, according to Huntress researcher Anna Pham.
The campaign abuses Google Ads to serve rogue ScreenConnect installers, and the threat actor reportedly used a signed Huawei kernel driver named HWAuidoOs2Ec[.]sys to terminate security processes from kernel mode, bypassing Driver Signature Enforcement. Huntress notes the attacker’s objectives are not fully clear, but the activity aligns with pre-ransomware or initial access broker behaviour, and could lead to ransomware deployment or monetisation via selling access.
The landing pages employ a two-layer cloaking setup with Adspect and JustCloakIt, while the Raw Page’s traffic is routed through a PHP-based Traffic Distribution System to present a benign page to scanners but deliver the payload to victims. Researchers have counted over 60 malicious ScreenConnect sessions tied to the campaign and observed the use of additional RMM tools like FleetDeck Agent for persistence and redundancy.
The HwAudKiller crypter also allocates 2GB of memory to confuse antivirus engines and emulators, as the campaign stacks multiple rogue ScreenConnect instances on compromised hosts.