Close Menu
Cybercrime and Ransomware

Tax-Themed Google Ads Spark BYOVD EDR Killer in Malvertising Blitz

Staff WriterBy No Comments4 Mins Read1 Views

Quick Takeaways

  1. A malicious campaign exploiting tax season searches directs users to fake IRS-themed sites, tricking them into installing legitimate-looking remote management tools which are then used for full system access.
  2. Attackers deploy advanced multi-stage malware, including a kernel-mode EDR killer called HwAudKiller, which uses a Huawei driver to silently kill security processes and gain persistent control.
  3. The malware employs sophisticated evasion techniques like large memory allocations to bypass antivirus emulators and utilizes kernel-level commands to remotely terminate security programs, preventing detection.
  4. The campaign is highly organized, using multiple social engineering tactics and shared infrastructure, emphasizing the need for caution when downloading tax forms and monitoring unusual remote tool activity.

Key Challenge

Every April, many Americans are eager to file their taxes quickly, which cybercriminals exploit through a sophisticated malvertising campaign active since January 2026. Attackers target individuals searching for W-2 and W-9 forms by placing fake IRS-themed landing pages via Google Ads, leading victims to download malicious remote management tools like ScreenConnect. These tools appear legitimate, prompting users—such as employees, freelancers, or small business owners—to unknowingly grant attackers full control over their machines. Once inside, the attackers deploy a complex, multi-layered payload that cleverly bypasses security defenses: it uses a specially crafted crypter called FatMalloc, which tricks antivirus programs by allocating massive amounts of memory to evade detection. This payload then installs HwAudKiller, a kernel-mode driver that terminates key security software like Windows Defender, Kaspersky, and SentinelOne, allowing the attacker to conduct further malicious activities such as credential harvesting and network infiltration. Reporting this attack, Huntress researchers discovered this campaign during routine threat hunting, revealing it to be a coordinated operation that employs multiple social engineering tactics and sophisticated malware techniques, ultimately aiming to deploy ransomware or facilitate initial access brokerage.

Security Implications

The issue titled “Tax-Themed Google Ads Lead to BYOVD EDR Killer in Huntress-Traced Malvertising Campaign” illustrates a serious cyber threat that can impact any business, regardless of size. Attackers often use fake tax-related ads to lure employees into clicking malicious links, which then deploy BYOVD (Bring Your Own Vulnerable Device) malware and EDR (Endpoint Detection and Response) killers. Consequently, this enables hackers to bypass security measures, steal sensitive data, or disrupt operations. Subsequently, businesses may face financial loss, damaged reputation, and compromised customer trust. Moreover, the infiltration can lead to prolonged downtime and costly remediation efforts. Therefore, it’s crucial for businesses to be vigilant about suspicious online advertisements and regularly update security protocols to prevent falling victim to such sophisticated campaigns.

Possible Actions

Prompt detection and swift response are critical in minimizing cyber threats that could compromise sensitive data and system integrity. Once identified, timely remediation ensures that vulnerabilities are addressed before adversaries can exploit them further. Addressing threats like “Tax-Themed Google Ads Lead to BYOVD EDR Killer in Huntress-Traced Malvertising Campaign” promptly prevents lateral movement, data breaches, and prolonged system compromise.

Containment Measures

  • Isolate affected systems from the network to prevent spread.
  • Disable malicious Google Ads or related ad campaigns.

Analysis & Investigation

  • Conduct thorough forensic analysis to understand the scope of the compromise.
  • Identify and preserve logs and evidence for further review.

Eradication Efforts

  • Remove malicious files, scripts, or payloads associated with the campaign.
  • Update or reconfigure affected endpoints to eliminate vulnerabilities.

Patching & Updates

  • Apply the latest security patches to all systems, especially those targeted or compromised.
  • Ensure all security tools, including EDR solutions, are current.

Enhance Detection Capabilities

  • Deploy or update threat detection rules to identify similar malvertising initiatives sooner.
  • Implement anti-malvertising measures, such as ad-blockers and URL filtering.

User Awareness & Training

  • Educate staff about recognizing malicious ads and phishing techniques.
  • Promote best practices for reporting suspicious activity.

Preventive Controls

  • Enable Web Content Filtering to block malicious ad domains.
  • Implement strict browser security policies to reduce exposure.

Review & Improve

  • Regularly review security posture and campaign responses.
  • Integrate lessons learned into incident response plans for quicker action in future incidents.

Explore More Security Insights

Stay informed on the latest Threat Intelligence and Cyberattacks.

Access world-class cyber research and guidance from IEEE.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1cyberattack-v1-multisource

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.