Summary

A significant malvertising campaign has been identified targeting U.S. users searching for tax-related documents. The campaign uses rogue installers for ConnectWise ScreenConnect to deploy malware that disables security programs.

Key Points

• The campaign has been active since January 2026.
• It targets individuals searching for tax-related documents in the U.S.
• Rogue installers for ConnectWise ScreenConnect are used to drop a tool named HwAudKiller.
• The attack employs the bring your own vulnerable driver (BYOVD) technique.
• Google Ads is abused to serve these rogue ScreenConnect installers.

Analysis

This campaign highlights the increasing sophistication of malvertising attacks, using legitimate advertising platforms like Google Ads to distribute malware. By exploiting tax-related searches, attackers are capitalizing on a common and timely activity to increase the likelihood of successful infections. The use of the BYOVD technique to disable security programs further complicates detection and mitigation efforts.

Conclusion

IT professionals should enhance their monitoring of advertising platforms for potential threats and educate users on the risks associated with downloading software from ads. Implementing robust endpoint detection and response (EDR) solutions that can withstand BYOVD attacks is crucial.