Find notable cyber news and cases, enriched with sources, timelines, and signals.

Google Ads tax-search ScreenConnect malvertising campaign

Campaign
First reported
Last updated
Happening score
H score 32
1 unique sources, 1 articles

Summary

Hide ▲

A malvertising campaign active since January 2026 is using Google Ads and tax-related search terms to push rogue ConnectWise ScreenConnect installers, creating a path to initial access and follow-on compromise. The operation uses commercial cloaking and a BYOVD-based HwAudKiller tool to blind security defenses before deeper payloads run. Huntress tied over 60 malicious ScreenConnect sessions to the activity. Post-compromise actions included LSASS credential dumping and NetExec reconnaissance, suggesting pre-ransomware or initial access broker behavior.

Related Happenings

GodDamn ransomware PoisonX BYOVD activity

Malware Activity
H score15 First: 09.07.2026 13:43 Last: 09.07.2026 13:43 Sources 1

About this happening: The **GodDamn** ransomware family is using the **PoisonX** kernel driver to disable endpoint defenses during attacks, increasing the risk of **credential theft**, **lateral moveme...

Major U.S. services company hit by ransomware attack linked to DragonForce

Incident
H score38 First: 16.06.2026 13:18 Last: 16.06.2026 13:18 Sources 1

About this happening: A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...

GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy

Malware Activity
H score41 First: 29.05.2026 01:24 Last: 29.05.2026 01:24 Sources 1

About this happening: **GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...

GPU cryptomining malware using ScreenConnect and SEO poisoning

Malware Activity
H score16 First: 28.05.2026 00:31 Last: 28.05.2026 00:31 Sources 1

About this happening: A **cryptojacking malware operation** is spreading through **SEO-poisoned download pages** and, in some cases, **AI chatbot recommendations**, putting **high-performance Windows s...

AI chatbot cryptojacking campaign targeting high-performance GPU users

Campaign
H score51 First: 27.05.2026 10:45 Last: 27.05.2026 10:45 Sources 1

About this happening: An active **cryptojacking campaign** is using **SEO poisoning** and, in some cases, **AI chatbot recommendations** to steer users toward malicious download pages for trusted utili...

Timeline

  1. 24.03.2026 19:05 2 articles · 3mo ago

    Google Ads tax-search ScreenConnect malvertising campaign disclosed

    Initial Disclosure

    Huntress detailed a large-scale malvertising campaign active since January 2026 that used Google Ads and tax-themed search terms such as "W2 tax form" and "W-9 Tax Forms 2026" to steer U.S.-based users toward rogue ConnectWise ScreenConnect installers. The operation used Adspect and JustCloakIt cloaking, deployed a BYOVD EDR killer named HwAudKiller, and relied on the signed Huawei driver HWAuidoOs2Ec.sys to blind Microsoft Defender, Kaspersky, and SentinelOne before follow-on activity such as LSASS credential dumping and NetExec-based reconnaissance.

    Show sources