Full Report
A large-scale malvertising campaign active since January 2026 has been observed targeting U.S.-based individuals searching for tax-related documents to serve rogue installers for ConnectWise ScreenConnect that drop a tool named HwAudKiller to blind security programs using the bring your own vulnerable driver (BYOVD) technique. "The campaign abuses Google Ads to serve rogue ScreenConnect (
Analysis Summary
# Tool/Technique: HwAudKiller (BYOVD Malvertising Campaign)
## Overview
This is a sophisticated malvertising-driven campaign targeting U.S. taxpayers. It utilizes commercial cloaking services to deliver rogue ScreenConnect installers, which subsequently deploy a specialized EDR-killing tool named **HwAudKiller**. The tool leverages a "Bring Your Own Vulnerable Driver" (BYOVD) technique using a legitimate Huawei audio driver to disable security software from the kernel level.
## Technical Details
- **Type:** Malware (EDR Killer) / Technique (BYOVD)
- **Platform:** Windows
- **Capabilities:** EDR/AV termination, Kernel-mode execution, Anti-analysis/Anti-emulation, Persistance via RMM.
- **First Seen:** January 2026
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1204.002 - User Execution: Malicious Link (Malvertising)
- **TA0002 - Execution**
- T1203 - Exploitation for Client Execution
- **TA0003 - Persistence**
- T1219 - Remote Access Software (ScreenConnect, FleetDeck)
- **TA0005 - Defense Evasion**
- T1064 - Scripting (PHP-based TDS)
- T1562.001 - Impair Defenses: Disable or Modify Tools (EDR Killing)
- T1027 - Obfuscated Files or Information (Multi-stage Crypter)
- T1548.006 - Abuse Elevation Control Mechanism: BYOVD
- **TA0006 - Credential Access**
- T1003.001 - OS Credential Dumping: LSASS Memory
- **TA0007 - Discovery**
- T1046 - Network Service Discovery (NetExec)
## Functionality
### Core Capabilities
- **EDR/AV Termination:** Specifically targets and blinds Microsoft Defender, Kaspersky, and SentinelOne.
- **Kernel-Mode Operations:** Uses a vulnerable Huawei driver to bypass user-mode protections.
- **Remote Access:** Establishes persistent control using legitimate RMM tools (ScreenConnect, FleetDeck).
### Advanced Features
- **Stacked Cloaking:** Employs two layers of traffic redirection (JustCloakIt for server-side filtering and Adspect for client-side JavaScript fingerprinting) to hide payloads from security scanners.
- **Anti-Analysis Memory Ballooning:** The crypter allocates 2GB of null-filled memory to crash emulators and sandboxes that cannot handle high resource demands.
- **BYOVD Exploitation:** Leverages `HWAudioOs2Ec.sys`, a legitimate signed Huawei kernel driver, to bypass Driver Signature Enforcement (DSE).
## Indicators of Compromise
- **File Hashes:** [Not explicitly provided in text, but HwAudKiller and HWAudioOs2Ec.sys are primary targets]
- **File Names:**
- `HWAudioOs2Ec.sys` (Vulnerable Huawei Driver)
- `ScreenConnect.msi` (Rogue installers)
- **Network Indicators:**
- hxxp[://]bringetax[.]com/humu/
- [Adspect TDS domains - defanged]
- [JustCloakIt (JCI) infrastructure - defanged]
- **Behavioral Indicators:**
- Sudden termination of `MsMpEng.exe` or other EDR processes.
- Loading of `HWAudioOs2Ec.sys` on systems that are not Huawei laptops.
- Unauthorized LSASS memory access.
- Deployment of FleetDeck or ScreenConnect in environments where they are not standard.
## Associated Threat Actors
- **Status:** Unknown/Unattributed.
- **Activity Profile:** Likely a Pre-Ransomware group or Initial Access Broker (IAB) based on the use of credential dumping (LSASS) and lateral movement tools (NetExec).
## Detection Methods
- **Behavioral Detection:** Monitor for the loading of known vulnerable drivers (BYOVD lists) by unsigned or suspicious processes.
- **Process Monitoring:** Alert on the unexpected termination of security-related services (Defender, SentinelOne).
- **Resource Monitoring:** Identify processes allocating large blocks of memory (2GB+) followed by immediate release (Ballooning technique).
- **Network Defense:** Inspect traffic for redirected headers or fingerprinting scripts associated with Adspect and JCI.
## Mitigation Strategies
- **Driver Allowlisting:** Enable Windows Defender Application Control (WDAC) or use Microsoft's vulnerable driver blocklist.
- **RMM Restrictions:** Implement strict policies regarding what Remote Monitoring and Management tools are permitted to run in the environment.
- **Ad-Blocking:** Use enterprise-grade ad-blocking to prevent malicious "Sponsored" search results from reaching end users.
- **Least Privilege:** Prevent users from running as local administrators to hinder the installation of kernel drivers.
## Related Tools/Techniques
- **NetExec:** Used for network reconnaissance.
- **FleetDeck:** Alternative RMM used for redundancy.
- **Adspect / JustCloakIt:** Commercial cloaking services hijacked for malware delivery.
- **LOLDrivers:** General category of techniques using legitimate but vulnerable drivers.