Home Blog From W-2 to BYOVD: How a Tax Search Leads to Kernel-Mode AV/EDR Kill Published: March 19, 2026 From W-2 to BYOVD: How a Tax Search Leads to Kernel-Mode AV/EDR Kill By: Anna Pham Table of Contents Background Key takeaways How it happened Fake browser update lure Adspect cloaking Second cloaking layer: JustCloakIt Rogue ScreenConnect and RMM activity A closer look into FatMalloc HwAudKiller The embedded driver: Huawei audio driver (BYOVD) Inside the driver Uncovering another intrusion What can we learn? Detection Recommendations Indicators of compromise Background As the saying goes, only two things are guaranteed in life: death and taxes. But, with the April 15 tax filing deadline quickly approaching, there's a third guarantee that threat actors have learned to count on: millions of users searching for the same tax forms, under time pressure, trusting the first Google result they see. During retrospective threat hunting, the Huntress Tactical Response team recently uncovered a large-scale malvertising campaign that has been active since at least January 2026, targeting U.S.-based individuals searching for tax-related documents. The lures are specifically U.S. tax forms (W-2, W-9), and the fake landing pages reference IRS compliance, casting a wide net across employees, freelancers, contractors, and small businesses during filing season. The campaign abuses Google Ads to serve rogue ScreenConnect (ConnectWise Control) installers, ultimately delivering a BYOVD EDR killer that drops a kernel driver to blind security tools before further compromise. Across our customer base, we reported over 60 instances of rogue ScreenConnect sessions tied to this campaign being used as the initial access vector. The attack chain is layered: dual commercial cloaking services filter out researchers and scanners, trial ScreenConnect instances provide hands-on-keyboard access, a multi-stage crypter evades AV with a 2GB memory allocation trick, and the final payload abuses a previously undocumented Huawei audio driver to terminate Defender, Kaspersky, and SentinelOne processes from kernel mode. Beyond the tax-themed lures, the threat actor's exposed open directory also revealed a fake Chrome update page with Russian-language JavaScript comments, suggesting a broader social engineering toolkit and a Russian-speaking developer. Evidence from a second intrusion reveals the likely end goal: after blinding the EDR, the attacker immediately pivoted to LSASS credential dumping and mass lateral credential harvesting across the network using tools like NetExec. These tactics are consistent with a pre-ransomware or initial access broker playbook, indicating the threat actor is either building toward ransomware deployment or monetizing network access through resale to other operators. In this blog, we break down every layer. Key takeaways Google Ads is still trending. The entire kill chain starts with a sponsored search result. No exploit kit, no phishing email - just a Google Ad from “W2 tax form” and “W-9 Tax Forms 2026” searches that looks indistinguishable from a legitimate result. Malvertising has become the initial access vector of choice for campaigns like this because it scales effortlessly and targets users at the exact moment they are looking for something. Cloaking makes takedowns a cat-and-mouse game. The dual-layer cloaking setup (JustCloakIt server-side + Adspect client-side) means Google's own ad reviewers, security scanners, and researchers all see a clean page. Only real victims with real browsers on real hardware get the payload. As long as services like Adspect openly market “no content rules” for $299/month, malvertising campaigns will keep slipping through platform review. Stacking RMM tools signals persistence, not convenience. When multiple ScreenConnect relays and backup tools like FleetDeck appear on the same host within hours, it's not a coincidence, it's an attacker building redundancy into their access. This campaign consistently deployed two or three relay instances per host across different organizations, ensuring they could survive partial remediation. BYOVD isn't just for APTs. This campaign shows commodity threat actors using a previously undocumented signed driver to kill EDR from kernel mode. The attackers didn't need to find a zero-day, they just needed a signed driver with a careless IOCTL handler. The tax lure is just one page in the playbook. The same operator's open directory revealed a fake Chrome update page alongside the tax-themed lures, both pulling payloads from the same 4sync infrastructure. Russian-language comments in the JavaScript source suggest a Russian-speaking developer. This is not a single-campaign operation; the shared infrastructure and multiple social engineering templates point to an operator running parallel lure campaigns adapted to whatever gets clicks. How it happened The user searched for “W2 tax form,” and the top result was a Google Ads link that redirected to a malicious page serving a rogue ScreenConnect installer. The browser history reveals the redirect chain: the Google Ads click landed on anukitax[.]com/forminw9/ , which then redirected to bringetax[.]com/humu/ , the actual rogue ScreenConnect delivery page. The payload itself was hosted on 4sync, a file-sharing platform. At the time of analysis, the page was no longer delivering payloads, but the threat actor left the directory open, giving us some insights. Figure 1: Rogue ScreenConnect delivery page Fake browser update lure Browsing the open directory also revealed a fake Chrome update page hosted at grinvan[.]com/vims/browser/ . This page is unrelated to the tax-themed lure but appears to be part of the same operator's toolkit. The page presents a convincing Google Chrome update prompt, telling the victim "To CONTINUE you need to update your browser" and walking them through a three-step process: click "Update Chrome," find the download, and "unzip updater.zip and run updater.exe." Under the hood, the page pulls its payload from the same 4sync file-sharing platform used in the tax campaign. When the victim clicks the update button, the JavaScript fetches the victim's IP address and geolocation via ipapi.co and sends a real-time notification to the operator's Telegram bot, with the victim's IP, country, and referring URL, giving the threat actor immediate visibility into each successful download. The payload is then delivered silently through a hidden iframe pointing to a 4sync direct download link. The JavaScript source contains Russian-language comments throughout, including “Файл скачан!” (File downloaded), “Ошибка получения геоданных” (Error getting geolocation data), and “Telegram уведомление отправлено” (Telegram notification sent), providing a language indicator for the developer behind this page. Figure 2: Fake Google browser update lure Figure 3: Russian-language comments reveal the developer's language, while the code collects the victim's IP and geolocation via ipapi[.]co and sends a real-time Telegram notification to the operator on each download Adspect cloaking The exposed directory revealed the threat actor's cloaking setup. Cloaking is a technique where a malicious website shows different content depending on who's visiting—real victims see the malicious payload, while security scanners, ad reviewers, bots, and researchers see a harmless "safe page" instead. Threat actors use commercial cloaking services to keep their malvertising campaigns running longer by evading detection from platforms like Google Ads and security vendors. In this case, the landing page uses a PHP-based Traffic Distribution System (TDS) powered by Adspect, a commercial cloaking service that has been increasingly abused by threat actors in malvertising and supply chain campaigns. Adspect markets itself as a “bulletproof cloaking” platform that “reliably cloaks each and every advertising platform” with plans ranging from $299 to $999 per month. The service openly advertises a no-questions-asked policy, stating they “do not care what you run and do not enforce any content rules”. It supports cloaking across Google Ads, Facebook, TikTok, Bing, and others, while actively blocking security scanners, including Google Safe Browsing, VirusTotal, Kaspersky, Confiant, and GeoEdge. The platform uses JavaScript fingerprinting, TCP/IP and SSL/TLS fingerprinting, IP blacklists covering over 2 billion IPv4 addresses, and a Bayesian machine learning classifier to distinguish real victims from researchers and bots. The index file on the landing page contains an Adspect integration script that calls out to rpc.adspect[.]net/v2/ with the stream ID f252d22c-19c3-487b-af3a-3d979b168a6d . On each visit, the script collects a fingerprint of the visitor, including browser properties, WebGL renderer info, screen dimensions, timezone offset, console behavior, touch event support, and whether the page is running inside an iframe - then POSTs it all back to the Adspect backend for a real-time verdict. The fingerprinting payload is embedded as a base64-encoded blob inside a fake <img> tag's data-digest attribute. The image intentionally fails to load, triggering the onerror handler, which decodes and executes the JavaScript fingerprinter. The decoded JavaScript collects a fingerprint object that includes: window - enumerates all properties using Object.getOwnPropertyNames() . A real Chrome browser has a window.chrome object with sub-properties like chrome.runtime and chrome.loadTimes . Older versions of headless Chrome were missing this object entirely, and even the newer headless Chrome (post-2023) can still have subtle differences in the property list. Selenium-driven browsers also leak extra properties like cdc_ prefixed driver handles. By dumping every property name, the Adspect backend can compare the full list against known-good profiles for each browser and flag discrepancies. navigator - all properties dumped, most importantly navigator.webdri