""The campaign abuses Google Ads to serve rogue ScreenConnect (ConnectWise Control) installers, ultimately delivering a BYOVD EDR killer that drops a kernel driver to blind security tools before further compromise," Huntress researcher Anna Pham said."
""Unlike recent campaigns highlighted by Microsoft that leverage tax-themed lures, the newly flagged activity employs commercial cloaking services to avoid detection by security scanners and abuses a previously undocumented Huawei audio driver to disarm security solutions.""
""These tactics, per Huntress, align with pre-ransomware or initial access broker behavior, suggesting that the threat actor is looking to either deploy ransomware or monetize the access by selling it to other criminal actors.""
A malvertising campaign has been active since January 2026, targeting U.S. individuals searching for tax-related documents. It uses Google Ads to deliver rogue ScreenConnect installers, which deploy a tool named HwAudKiller to disable security programs through the BYOVD technique. Over 60 malicious ScreenConnect sessions have been identified. The campaign employs commercial cloaking services to evade detection and utilizes an undocumented Huawei audio driver. The objectives remain unclear, but tactics suggest pre-ransomware behavior, indicating potential ransomware deployment or access monetization.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]