Google Ads tax-search ScreenConnect malvertising campaign
Campaign
Summary
Hide ▲
Show ▼
A malvertising campaign active since January 2026 is using Google Ads and tax-related search terms to push rogue ConnectWise ScreenConnect installers, creating a path to initial access and follow-on compromise. The operation uses commercial cloaking and a BYOVD-based HwAudKiller tool to blind security defenses before deeper payloads run. Huntress tied over 60 malicious ScreenConnect sessions to the activity. Post-compromise actions included LSASS credential dumping and NetExec reconnaissance, suggesting pre-ransomware or initial access broker behavior.
Related Happenings
GodDamn ransomware PoisonX BYOVD activity
Malware Activity
H score15
First: 09.07.2026 13:43
Last: 09.07.2026 13:43
Sources 1
About this happening:
The **GodDamn** ransomware family is using the **PoisonX** kernel driver to disable endpoint defenses during attacks, increasing the risk of **credential theft**, **lateral moveme...
GodDamn ransomware PoisonX BYOVD activity
Malware ActivityAbout this happening: The **GodDamn** ransomware family is using the **PoisonX** kernel driver to disable endpoint defenses during attacks, increasing the risk of **credential theft**, **lateral moveme...
Major U.S. services company hit by ransomware attack linked to DragonForce
Incident
H score38
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
About this happening:
A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
Major U.S. services company hit by ransomware attack linked to DragonForce
IncidentAbout this happening: A **DragonForce ransomware** incident hit a **major U.S. services firm** in **December 2025**, with attackers maintaining access for **one to two months** and hiding **command-and...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware Activity
H score41
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
**GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware ActivityAbout this happening: **GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
GPU cryptomining malware using ScreenConnect and SEO poisoning
Malware Activity
H score16
First: 28.05.2026 00:31
Last: 28.05.2026 00:31
Sources 1
About this happening:
A **cryptojacking malware operation** is spreading through **SEO-poisoned download pages** and, in some cases, **AI chatbot recommendations**, putting **high-performance Windows s...
GPU cryptomining malware using ScreenConnect and SEO poisoning
Malware ActivityAbout this happening: A **cryptojacking malware operation** is spreading through **SEO-poisoned download pages** and, in some cases, **AI chatbot recommendations**, putting **high-performance Windows s...
AI chatbot cryptojacking campaign targeting high-performance GPU users
Campaign
H score51
First: 27.05.2026 10:45
Last: 27.05.2026 10:45
Sources 1
About this happening:
An active **cryptojacking campaign** is using **SEO poisoning** and, in some cases, **AI chatbot recommendations** to steer users toward malicious download pages for trusted utili...
AI chatbot cryptojacking campaign targeting high-performance GPU users
CampaignAbout this happening: An active **cryptojacking campaign** is using **SEO poisoning** and, in some cases, **AI chatbot recommendations** to steer users toward malicious download pages for trusted utili...
Timeline
-
24.03.2026 19:05 2 articles · 3mo ago
Google Ads tax-search ScreenConnect malvertising campaign disclosed
Initial DisclosureHuntress detailed a large-scale malvertising campaign active since January 2026 that used Google Ads and tax-themed search terms such as "W2 tax form" and "W-9 Tax Forms 2026" to steer U.S.-based users toward rogue ConnectWise ScreenConnect installers. The operation used Adspect and JustCloakIt cloaking, deployed a BYOVD EDR killer named HwAudKiller, and relied on the signed Huawei driver HWAuidoOs2Ec.sys to blind Microsoft Defender, Kaspersky, and SentinelOne before follow-on activity such as LSASS credential dumping and NetExec-based reconnaissance.
Show sources
- Tax Search Ads Deliver ScreenConnect Malware Using Huawei Driver to Disable EDR — thehackernews.com — 24.03.2026 19:05
- Tax Search Ads Deliver ScreenConnect Malware Using Huawei Driver to Disable EDR — thehackernews.com — 24.03.2026 19:05