Tax‑Related Search Ads Serve ConnectWise ScreenConnect Malware that Disables EDR via a Huawei Driver
What Happened — Since January 2026 a malvertising campaign has been using Google Ads to deliver rogue installers for ConnectWise ScreenConnect to U.S. users searching for tax‑related documents. The installers drop a tool called HwAudKiller, which leverages a vulnerable Huawei driver (BYOVD) to blind endpoint detection and response (EDR) solutions.
Why It Matters for TPRM
- Attackers exploit trusted advertising platforms, making malicious payloads appear legitimate.
- The BYOVD technique can neutralize security controls on any third‑party remote‑access tool used by vendors.
- Compromise of remote‑support sessions can lead to lateral movement into client environments.
Who Is Affected — Financial services firms, tax‑preparation SaaS providers, and any organization that allows remote support tools (e.g., ConnectWise ScreenConnect) on employee workstations.
Recommended Actions
- Review contracts with remote‑access vendors and verify they enforce driver signing and integrity checks.
- Block execution of unsigned drivers and enforce application whitelisting for BYOVD‑related binaries.
- Monitor Google Ads traffic for suspicious keywords and implement web‑gateway URL filtering.
Technical Notes — The campaign uses a malvertising vector, delivering a malicious installer via Google Ads. The installer drops the HwAudKiller binary, which loads a vulnerable Huawei USB driver to disable EDR components (a classic BYOVD approach). No CVE is directly cited, but the technique relies on known driver signing weaknesses. Source: The Hacker News