Google Ads tax-search ScreenConnect malvertising campaign
Campaign
Summary
Hide ▲
Show ▼
A malvertising campaign active since January 2026 is using Google Ads and tax-related search terms to push rogue ConnectWise ScreenConnect installers, creating a path to initial access and follow-on compromise. The operation uses commercial cloaking and a BYOVD-based HwAudKiller tool to blind security defenses before deeper payloads run. Huntress tied over 60 malicious ScreenConnect sessions to the activity. Post-compromise actions included LSASS credential dumping and NetExec reconnaissance, suggesting pre-ransomware or initial access broker behavior.
Related Happenings
AI chatbot cryptojacking campaign targeting high-performance GPU users
Campaign
First: 27.05.2026 10:45
Last: 27.05.2026 10:45
Sources 1
About this happening:
An active **cryptojacking campaign** is using **AI chatbot interactions** and **SEO-poisoned download sites** to deliver mining malware, expanding the reach of malicious downloads...
AI chatbot cryptojacking campaign targeting high-performance GPU users
CampaignAbout this happening: An active **cryptojacking campaign** is using **AI chatbot interactions** and **SEO-poisoned download sites** to deliver mining malware, expanding the reach of malicious downloads...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
Campaign
First: 17.05.2026 17:43
Last: 17.05.2026 17:43
Sources 1
About this happening:
The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
CampaignAbout this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware Activity
First: 08.05.2026 21:12
Last: 08.05.2026 21:12
Sources 1
About this happening:
**TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware ActivityAbout this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
TCLBanker self-spreading banking trojan
Malware Activity
First: 08.05.2026 01:06
Last: 08.05.2026 01:06
Sources 1
About this happening:
The **TCLBanker** trojan now combines **trojanized installer** delivery with **self-spreading worm modules**, widening access to **59 banking, fintech, and cryptocurrency platform...
TCLBanker self-spreading banking trojan
Malware ActivityAbout this happening: The **TCLBanker** trojan now combines **trojanized installer** delivery with **self-spreading worm modules**, widening access to **59 banking, fintech, and cryptocurrency platform...
ACSC ClickFix mitigation guidance for Vidar Stealer
Advisory/Mitigation
First: 07.05.2026 21:00
Last: 07.05.2026 21:00
Sources 1
About this happening:
The **ACSC** issued mitigation guidance for an **ongoing ClickFix campaign** that is pushing **Vidar Stealer** through **malicious PowerShell commands**, increasing credential-the...
ACSC ClickFix mitigation guidance for Vidar Stealer
Advisory/MitigationAbout this happening: The **ACSC** issued mitigation guidance for an **ongoing ClickFix campaign** that is pushing **Vidar Stealer** through **malicious PowerShell commands**, increasing credential-the...
Timeline
-
24.03.2026 19:05 2 articles · 2mo ago
Google Ads tax-search ScreenConnect malvertising campaign disclosed
Initial DisclosureHuntress detailed a large-scale malvertising campaign active since January 2026 that used Google Ads and tax-themed search terms such as "W2 tax form" and "W-9 Tax Forms 2026" to steer U.S.-based users toward rogue ConnectWise ScreenConnect installers. The operation used Adspect and JustCloakIt cloaking, deployed a BYOVD EDR killer named HwAudKiller, and relied on the signed Huawei driver HWAuidoOs2Ec.sys to blind Microsoft Defender, Kaspersky, and SentinelOne before follow-on activity such as LSASS credential dumping and NetExec-based reconnaissance.
Show sources
- Tax Search Ads Deliver ScreenConnect Malware Using Huawei Driver to Disable EDR — thehackernews.com — 24.03.2026 19:05
- Tax Search Ads Deliver ScreenConnect Malware Using Huawei Driver to Disable EDR — thehackernews.com — 24.03.2026 19:05