Malvertising Campaign Exploits ScreenConnect and Huawei Driver to Bypass EDR Systems
Executive Summary
In March 2026, a large-scale malvertising campaign targeted U.S. individuals searching for tax-related documents. Attackers used Google Ads to distribute rogue installers for ConnectWise ScreenConnect, which deployed a tool named HwAudKiller. This tool exploited a vulnerable Huawei driver to disable endpoint detection and response (EDR) systems, allowing the installation of additional malware without detection. The campaign highlights the increasing sophistication of cyber threats leveraging legitimate tools and vulnerabilities to bypass security measures. Organizations must remain vigilant against such tactics, especially during periods when users are likely to seek specific information, such as tax season.
Why This Matters Now
The use of legitimate tools like ScreenConnect and vulnerable drivers to disable security systems underscores the evolving tactics of cybercriminals. Organizations must enhance their security protocols to detect and prevent such sophisticated attacks.
Attack Path Analysis
The attack began with users searching for tax-related documents, leading them to malicious ads that delivered a compromised ScreenConnect installer. Upon execution, the installer deployed a vulnerable Huawei audio driver to disable endpoint detection and response (EDR) systems, facilitating privilege escalation. The attacker then used tools like NetExec for network reconnaissance and lateral movement. Command and control were established through persistent remote access tools, including FleetDeck Agent. The adversary exfiltrated credentials from the LSASS process memory. The campaign's objectives remain unclear, but tactics suggest potential ransomware deployment or monetization of access.
Kill Chain Progression
Initial Compromise
Description
Users searching for tax-related documents clicked on malicious ads, leading to the download of a compromised ScreenConnect installer.
Related CVEs
CVE-2024-1709
CVSS 10An authentication bypass vulnerability in ConnectWise ScreenConnect allows remote attackers to create administrative accounts without proper authorization.
Affected Products:
ConnectWise ScreenConnect – < 22.4.0
Exploit Status:
exploited in the wildCVE-2024-1708
CVSS 8.4A path traversal vulnerability in ConnectWise ScreenConnect allows remote attackers to access arbitrary files on the server.
Affected Products:
ConnectWise ScreenConnect – < 22.4.0
Exploit Status:
exploited in the wildCVE-2024-58257
CVSS 6.7An OS command injection vulnerability in Huawei EnzoH products allows local attackers to execute arbitrary commands.
Affected Products:
Huawei EnzoH-W5611T – BIOS 1.07
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Application Layer Protocol
Command and Scripting Interpreter
Windows Service
Exploitation for Privilege Escalation
Impair Defenses
Virtualization/Sandbox Evasion
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Device Security
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Accounting
Tax-focused malvertising campaign directly targets accounting professionals during tax season, exploiting ScreenConnect for EDR bypass and lateral movement through client networks.
Financial Services
BYOVD technique disabling EDR systems threatens financial institutions' zero trust segmentation and encrypted traffic monitoring capabilities during critical tax processing periods.
Information Technology/IT
ScreenConnect compromise undermines IT service providers' remote access security, enabling privilege escalation and command & control through trusted administrative channels.
Government Administration
Malvertising targeting tax document searches poses significant risk to government agencies' compliance frameworks and threat detection capabilities through EDR evasion.
Sources
- Tax Search Ads Deliver ScreenConnect Malware Using Huawei Driver to Disable EDRhttps://thehackernews.com/2026/03/tax-search-ads-deliver-screenconnect.htmlVerified
- Ransomware gangs exploiting ConnectWise ScreenConnect flawshttps://www.techtarget.com/searchsecurity/news/366571367/Ransomware-gangs-exploiting-ConnectWise-ScreenConnect-flawsVerified
- Security Advisory - OS Command Injection Vulnerability in Huawei EnzoH Productshttps://www.huawei.com/en/psirt/security-advisories/2025/huawei-sa-OCIViHEP-1bcbfffaVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and egress controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit initial access vectors may be constrained, reducing the likelihood of successful initial compromise.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges may be constrained, reducing the scope of potential damage.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the network may be constrained, reducing the potential blast radius.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command and control channels may be constrained, reducing the duration and effectiveness of the attack.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data may be constrained, reducing the risk of data loss.
The attacker's ability to achieve their objectives may be constrained, reducing the overall impact of the attack.
Impact at a Glance
Affected Business Functions
- Tax Document Processing
- Financial Reporting
- Customer Service
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive tax documents and financial records.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit the attacker's ability to traverse the network.
- • Deploy East-West Traffic Security controls to monitor and control internal traffic, detecting unauthorized movements.
- • Utilize Egress Security & Policy Enforcement to prevent unauthorized outbound communications and data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to unusual activities promptly.
- • Ensure comprehensive Multicloud Visibility & Control to maintain oversight across all cloud environments and detect potential threats.
