This threat involves a large-scale malvertising campaign that exploits user interest in U.S. tax forms to deliver a multi-stage attack chain. Initially, attackers use Google Ads combined with dual commercial cloaking services to bypass detection by security tools and ad platforms. Victims clicking on these ads are redirected to malicious websites hosting rogue ScreenConnect installers. ScreenConnect, a legitimate remote access tool, is abused here in its free-tier form to facilitate initial compromise. The installer deploys a multi-stage crypter that obfuscates payloads and ultimately installs HwAudKiller, a Bring Your Own Vulnerable Driver (BYOVD) tool. HwAudKiller exploits a previously undocumented vulnerability in a signed Huawei audio driver, allowing it to execute in kernel mode. This kernel-mode execution enables HwAudKiller to forcibly terminate antivirus and Endpoint Detection and Response (EDR) processes, effectively disabling endpoint defenses without triggering typical user-mode protections. The campaign's sophistication lies in combining commodity tools and services—free ScreenConnect instances, off-the-shelf crypters, and a signed but vulnerable driver—to achieve stealth and persistence. The attackers deploy multiple remote access tools on infected hosts to ensure redundancy and maintain access, suggesting the operation is either a precursor to ransomware deployment or an initial access broker activity. The lack of known CVEs or public exploits indicates this is a zero-day or previously undocumented vulnerability. The campaign leverages tax-related lures during tax season to maximize victim engagement, primarily targeting U.S. users. Indicators of compromise include multiple hashes, domains, and URLs associated with the campaign. The attack chain demonstrates advanced evasion, persistence, and privilege escalation techniques, posing a significant threat to organizations relying on affected endpoint security solutions.

Organizations worldwide, especially those with U.S.-based operations or users searching for tax-related information, face significant risks from this campaign. The kernel-mode exploitation of a signed Huawei audio driver to terminate AV and EDR processes can lead to complete endpoint security bypass, allowing attackers to maintain stealthy persistence and conduct further malicious activities such as data exfiltration, lateral movement, or ransomware deployment. The use of commodity tools and free-tier services lowers the barrier for attackers, increasing the likelihood of widespread infections. The campaign's redundancy in deploying multiple remote access tools complicates incident response and remediation efforts. Disabling endpoint defenses at the kernel level severely impacts confidentiality, integrity, and availability of organizational assets. The attack also undermines trust in signed drivers and challenges traditional security controls. Given the targeting of tax form searchers, individuals and organizations involved in tax preparation, finance, and accounting are at heightened risk. The campaign's sophisticated evasion techniques may delay detection, increasing dwell time and potential damage. Overall, the threat poses a medium to high risk of operational disruption, data compromise, and financial loss.

1. Implement strict application whitelisting and driver integrity checks to prevent loading of unauthorized or vulnerable signed drivers, including the Huawei audio driver exploited by HwAudKiller. 2. Monitor and restrict use of remote access tools like ScreenConnect, especially free-tier or unauthorized instances, and enforce multi-factor authentication and session logging for legitimate remote access. 3. Employ advanced endpoint detection solutions capable of monitoring kernel-mode activities and detecting abnormal process terminations or driver manipulations. 4. Enhance network monitoring to detect and block traffic to known malicious domains and URLs associated with this campaign, leveraging threat intelligence feeds containing the provided indicators. 5. Educate users about malvertising risks and discourage clicking on ads or links related to tax forms from untrusted sources, especially during tax season. 6. Regularly update and patch all drivers and endpoint security software, and engage with vendors to address vulnerabilities in signed drivers. 7. Conduct threat hunting focused on detection of BYOVD techniques and multiple remote access tool deployments to identify compromised hosts early. 8. Implement endpoint isolation and rapid incident response procedures to contain infections before ransomware or further payloads are deployed. 9. Use network segmentation to limit lateral movement from compromised endpoints. 10. Collaborate with ad platforms to report and remove malicious ads and cloaking services used in this campaign.