Back to Intelligence

Defending Against Tax Season Malvertising: Detecting ScreenConnect and BYOVD Attacks

SA
Security Arsenal Team
March 29, 2026
4 min read

Introduction

With the 2026 tax season in full swing, cybercriminals are leveraging the urgency of tax filings to distribute malware. A massive malvertising campaign, active since January 2026, has been targeting U.S. individuals by poisoning search engine results for tax-related documents. These ads lead users to download rogue installers for ConnectWise ScreenConnect, a legitimate remote administration tool. Once executed, the payload drops a tool known as "HwAudKiller," which utilizes a Bring Your Own Vulnerable Driver (BYOVD) technique—specifically abusing a signed Huawei driver—to disable Endpoint Detection and Response (EDR) systems. For security teams, this highlights the critical need to monitor for legitimate tools being weaponized and to enforce strict driver signing policies.

Technical Analysis

The attack chain begins with Search Engine Optimization (SEO) poisoning and malvertising. Victims searching for tax forms click on malicious Google Ads that direct them to attacker-controlled domains hosting trojanized ScreenConnect installers.

Upon execution, the installer drops a malicious tool, HwAudKiller. This tool loads a vulnerable, signed Huawei driver (hw_ioport64.sys). Because the driver is signed, Windows trusts it by default. The attacker exploits a known vulnerability in the driver to gain kernel-level access, allowing them to forcefully terminate security processes (EDR, AV) and delete their files. This effectively blinds the organization's defenses before the actual payload is delivered.

Affected Systems:

  • Windows endpoints without HVCI (Hypervisor-protected Code Integrity) enabled.
  • Environments allowing non-Microsoft signed drivers without strict allowlisting.

Severity: Critical. The use of BYOVD allows attackers to bypass modern, sophisticated endpoint protection suites.

Defensive Monitoring

Security Operations (SOC) teams should hunt for the combination of unexpected ScreenConnect installations and the loading of the specific Huawei driver. Below are detection queries and scripts to identify compromise.

1. Detecting the BYOVD Driver (KQL for Microsoft Sentinel/Defender)

This query looks for the loading of the vulnerable Huawei driver (hw_ioport64.sys) often used in BYOVD attacks.

Script / Code
DeviceImageLoadEvents
| where FileName =~ "hw_ioport64.sys"
| extend SigningStatus = tostring(SigningStatus), AdditionalFields = tostring(AdditionalFields)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessCommandLine, FolderPath, SHA256
| order by Timestamp desc

2. Detecting Suspicious ScreenConnect Activity (KQL)

Detecting ScreenConnect client service binaries launched from unusual paths or by unsigned parent processes.

Script / Code
DeviceProcessEvents
| where ProcessVersionInfoOriginalFileName =~ "ScreenConnect.ClientService.exe"
| where FolderPath !contains @"Program Files"
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256

3. PowerShell Script to Check for Vulnerable Driver Presence

Run this script on endpoints to verify if the vulnerable Huawei driver is present in the driver store.

Script / Code
# Check for hw_ioport64.sys driver
$driverName = "hw_ioport64.sys"
$searchPaths = @("C:\Windows\System32\drivers", "C:\Windows\System32\DriverStore\FileRepository")

Write-Host "Scanning for $driverName..."

foreach ($path in $searchPaths) {
    if (Test-Path $path) {
        $found = Get-ChildItem -Path $path -Filter $driverName -Recurse -ErrorAction SilentlyContinue
        if ($found) {
            Write-Host "WARNING: Found at $($found.FullName)" -ForegroundColor Red
        }
    }
}

Write-Host "Scan complete."

Remediation

To protect your organization from this specific threat and future BYOVD attacks, implement the following remediation steps immediately:

  1. Enable Microsoft Vulnerable Driver Blocklist: Ensure the "Vulnerable Driver Blocklist" policy is enabled via Intune or Group Policy. This automatically blocks the specific Huawei driver and other known abusive drivers.
  2. Enable HVCI (Memory Integrity): Hypervisor-protected Code Integrity prevents the loading of known vulnerable drivers, effectively mitigating the BYOVD technique.
    • Path: Windows Security > Device security > Core isolation details > Memory integrity.
  3. Application Allowlisting: Restrict the execution of ScreenConnect (ConnectWiseControl.ClientSetup.exe) to only specific, approved administrative workstations or deployment servers. Block its execution from user profiles or temporary internet folders.
  4. User Awareness: Brief end-users on the risks of malvertising. Advise them to navigate directly to official tax agency websites (e.g., irs.gov) rather than relying on search engine results for tax documents.
  5. Block Known Malicious Domains: Update your secure web gateways and DNS filters to block domains identified in this campaign (refer to specific threat intelligence feeds for current IOCs).

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwareforensicsmalvertisingedr-evasionbyovdscreenconnectthreat-hunting

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action