A large-scale malvertising campaign is abusing tax-season urgency to deploy a kernel-mode EDR killer through malicious sponsored search results. The operation uses fake tax form pages to trick users into installing remote access software, ultimately disabling security defenses and preparing systems for follow-on attacks. 
Researchers at Huntress traced the campaign to rogue ads targeting users searching for W-2 and W-9 forms.
How the Attack Starts
The infection chain begins with a search on Google for tax forms. Sponsored ads redirect victims to fake compliance portals mimicking official documentation pages.
Initial Infection Flow
- User searches for W-2 or W-9 forms
- Sponsored ad leads to malicious domain
- Redirect to fake tax form download page
- Download of rogue ScreenConnect installer
- Remote access established
The attacker distributes a malicious installer disguised as a tax form download.
Abuse of Legitimate Remote Tool
The campaign leverages ScreenConnect, a legitimate remote management tool, to gain hands-on keyboard access.
Because the software is trusted, victims install it without suspicion, allowing attackers to:
- Take full remote control
- Execute commands
- Deploy additional payloads
- Maintain persistence
Multi-Stage Payload Deployment
After access is established, attackers deploy layered malware.
Payload Stack
- FatMalloc crypter
- Backup remote tools
- HwAudKiller EDR killer
- Credential dumping utilities
This multi-stage approach ensures defense evasion and persistence.
BYOVD EDR Killer
The final payload, HwAudKiller, uses a signed driver from Huawei to terminate security tools from kernel mode.
Targeted Security Tools
- Microsoft Defender
- Kaspersky
- SentinelOne
By operating in kernel mode, the malware bypasses user-mode protections entirely.
Inside the FatMalloc Crypter
FatMalloc uses multiple evasion techniques.
Evasion Techniques
- Allocates 2GB memory to break sandbox analysis
- Uses multimedia timer callbacks for execution
- Avoids direct thread creation detection
- XOR decrypts payload in memory
- Decompresses final payload
These tactics make detection significantly harder.
Kernel Driver Abuse
The EDR killer drops a signed driver and registers it as a system service.
Driver Capabilities
- Kernel-level process termination
- Continuous monitoring of running processes
- Rapid killing of security tools
- IOCTL-based communication
This technique is known as Bring Your Own Vulnerable Driver (BYOVD).
Post-Exploitation Activity
Once defenses are disabled, attackers perform credential harvesting.
Observed Actions
- LSASS credential dumping
- Network enumeration
- Account harvesting
- Lateral movement preparation
These behaviors align with pre-ransomware activity.
Additional Campaign Infrastructure
Researchers discovered:
- Fake Chrome update pages
- Russian-language code comments
- Shared payload infrastructure
- Multiple social engineering lures
These findings indicate a coordinated operation.
Risk Impact Analysis
| Risk Area | Impact |
|---|---|
| Endpoint Security | EDR disabled |
| Credentials | LSASS dumping |
| Access | Full remote control |
| Network | Lateral movement |
| Threat Outcome | Ransomware staging |
Detection Indicators
Security teams should monitor for:
- Unexpected ScreenConnect sessions
- Kernel driver creation in TEMP directories
- Suspicious RMM tool installations
- LSASS access attempts
- Multiple remote relay instances
Mitigation Recommendations
User-Level Protection
- Download tax forms only from official sources
- Avoid sponsored search results
- Verify domains before downloading
- Be cautious during tax season
IT Security Controls
- Allowlist approved RMM tools
- Block unauthorized remote software
- Monitor driver installation events
- Enable kernel driver logging
- Alert on ScreenConnect trial instances
Key Takeaways
- Tax-themed Google Ads used as lure
- Legitimate remote tool abused
- BYOVD technique disables EDR
- Kernel driver used for process termination
- Pre-ransomware behavior observed
Conclusion
This campaign demonstrates how attackers combine malvertising, social engineering, and BYOVD techniques to bypass modern security defenses. By abusing trusted software and signed drivers, they can disable endpoint protection and prepare systems for ransomware or credential theft.
Organizations should strengthen:
- Remote tool monitoring
- Driver execution controls
- User awareness training
- Behavioral detection
Tax season continues to be a high-risk period for targeted malware campaigns.
