Trojanized ConnectWise ScreenConnect Installers Deployed in Tax-Themed Malvertising Campaign

•March 25, 2026

SC Media•Mar 25, 2026

Why It Matters

The campaign demonstrates how legitimate remote‑support utilities can be weaponized to disable enterprise defenses during high‑traffic periods, forcing organizations to rethink ad‑network monitoring and driver security.

Key Takeaways

•Google Ads used to deliver fake tax form links.
•Malicious ScreenConnect installers inject multi‑stage crypter.
•HwAudKiller exploits Huawei driver to kill major EDR solutions.
•Attack leverages “bring‑your‑own‑vulnerable‑driver” technique.
•Campaign underscores commodity tools enabling sophisticated threats.

Pulse Analysis

The campaign taps into the annual rush for tax documents, hijacking Google’s paid‑search ecosystem to present counterfeit W‑2 and W‑9 download pages. When users click the sponsored results, an Adspect‑powered PHP traffic‑distribution layer silently redirects them to a malicious host that serves a tampered ConnectWise ScreenConnect installer. This approach mirrors a growing pattern where cybercriminals weaponize legitimate advertising channels to reach a broad, unsuspecting audience, especially during high‑interest periods such as tax season. The use of paid search also complicates detection, as legitimate ad spend masks malicious redirects, forcing defenders to rely on URL reputation and traffic analysis.

Once installed, the compromised ScreenConnect client launches a trial instance and injects a multi‑stage crypter that drops the HwAudKiller payload. HwAudKiller exploits a known vulnerability in a Huawei USB driver, granting the attacker kernel‑level code execution and allowing it to terminate leading endpoint‑detection‑and‑response products such as Microsoft Defender, SentinelOne and Kaspersky. By leveraging the ‘bring‑your‑own‑vulnerable‑driver’ model, the threat actors bypass traditional security controls without needing zero‑day exploits, demonstrating how commodity tools can be repurposed for sophisticated intrusion chains. Furthermore, the payload can persist by installing the compromised driver as a system service, ensuring continued access even after reboot.

The incident underscores the urgency for organizations to harden their remote‑access supply chain and to scrutinize third‑party driver updates. Security teams should enforce application whitelisting, monitor anomalous ScreenConnect activity, and deploy behavioral analytics that can flag unexpected driver loading. Additionally, ad‑network vendors must improve vetting processes to prevent malicious advertisers from exploiting tax‑season traffic. Enterprises should also consider zero‑trust network access for remote tools and regularly audit driver signatures to reduce attack surface. As attackers continue to blend legitimate utilities with vulnerable components, a layered defense that includes timely patching, endpoint hardening, and threat‑intel sharing will be essential to mitigate similar campaigns.