Active since January 2026, a large-scale malvertising campaign has been observed targeting U.S.-based individuals searching for tax-related documents. The operation exploits Google Ads to direct unsuspecting users toward rogue installers of ConnectWise ScreenConnect, a widely used remote desktop control tool. Once installed, these rogue packages deploy a tool named HwAudKiller, which is specifically built to disable security programs through the bring your own vulnerable driver (BYOVD) technique.
Malicious Installers Are Used to Slip Past Security Defenses
At the heart of this campaign is HwAudKiller, a tool that exploits vulnerabilities found in legitimate, trusted drivers to deactivate active security protections on a victim’s machine. By leveraging drivers that operating systems and security software already recognize as valid, HwAudKiller effectively blinds those same security tools — leaving the infected system exposed to further exploitation. This BYOVD approach is particularly dangerous because it turns trusted system components against the very defenses they are meant to support.
Once security software has been neutralized, threat actors gain a much broader foothold on the compromised device, enabling them to carry out follow-on activities without triggering standard detection mechanisms. Organizations and individual users who depend heavily on endpoint security solutions are especially at risk, as HwAudKiller is designed specifically to undermine those protections.
Google Ads Provide a Trusted Cover for Malware Distribution
The campaign’s reach is amplified by its deliberate abuse of Google’s advertising platform. Threat actors craft ads that appear entirely legitimate to users searching for tax-related documents — a particularly timely lure given the ongoing tax filing season in the United States. These deceptive ads redirect users to sites hosting the rogue ConnectWise ScreenConnect installers, which carry the malicious HwAudKiller payload.
By embedding their malware delivery mechanism within Google Ads, attackers exploit the inherent trust users place in results and sponsored content that appear on widely used search engines. This tactic makes it significantly harder for everyday users to distinguish between legitimate software downloads and malicious ones, increasing the likelihood of a successful infection.
Malvertising Campaigns Continue to Pose Serious Risks to Users
This campaign is a clear reminder of the persistent threat that malvertising poses across digital advertising ecosystems. As more individuals turn to online search engines to find critical resources — including tax forms and financial documents — during high-demand periods like tax season, the potential reach of campaigns like this one grows considerably.
Security researchers note that the combination of Google Ads abuse, BYOVD-based security bypassing, and the deployment of a dedicated disabling tool like HwAudKiller reflects a high level of operational sophistication. Users are strongly advised to verify the authenticity of software downloads, avoid clicking on sponsored search results for sensitive document types, and ensure their systems are running up-to-date security solutions capable of detecting driver-based attacks.
