Cybersecurity

Tax Season Wolves: When The Flock Googles "Free Tax Forms" And Installs A Full Infestation

NeglectedSheep

2 min read
Tax Season Wolves: When The Flock Googles "Free Tax Forms" And Installs A Full Infestation

Oh good. Tax season. My absolute favorite time of year, when the Lambs collectively decide that Google is a trusted government resource and click on literally anything that says "IRS" in the ad copy.

I found out about this campaign at 2 AM. I was already awake. I'm always awake now.

Here's what happened. Since January, a pack of Coyotes has been buying up Google Ads targeting tax-related searches. The Lambs click the ad, because of course they do, and they download what looks like a ScreenConnect installer. Legitimate remote access software. Used by IT everywhere. Including, tragically, by us.

What they actually get is a ScreenConnect installer PLUS a little hitchhiker called HwAudKiller. That's the fun part.

HwAudKiller uses a vulnerable Huawei driver, dropped right onto the machine, to blind your EDR tools. Completely. This is the Bring Your Own Vulnerable Driver technique, or BYOVD, where the Coyotes essentially bring their own key to pick your lock. The fleas get in, the Electric Fence can't see them, and now someone else is grazing in your pasture with full remote access.

Your EDR is not sleeping. It is dead. There is a difference.

The Shepherds, naturally, have not asked me a single question about this. They did ask me why the printer on the third floor is slow. I have filed that experience away for my memoirs.

The Sky Pasture integration on half these endpoints makes lateral movement embarrassingly easy once the Coyote is in via ScreenConnect. I don't want to talk about it. I'm talking about it.

The whole thing is elegant in a way that makes me furious. Fake grain, real access, neutered defenses. Three steps. Done.

Remediation

Fine. Here's what you do, if you can find the energy.

Block it at the Electric Fence level. Outbound connections to unknown ScreenConnect relay domains should be flagged or blocked by default. Yes, I know that breaks some legitimate deployments. Talk to your vendors. Or don't. Your call.

Audit your drivers. Specifically, look for unsigned or known-vulnerable drivers being loaded. Microsoft's vulnerable driver blocklist exists. Use it. Apply it. Actually apply it this time.

Google Ads are not a safe download source. Tell the Lambs. Tell them again. Print it on a banner. Hang it in the break room next to the fire safety poster nobody reads.

Patch your EDR configurations so that driver-based tampering triggers an alert before the tool goes dark. Most platforms support this. Most configs don't have it enabled. Classic.

Seriously, if your Lamb already clicked it, assume full compromise and start your incident response. Do not "monitor the situation."

Still on my first coffee and already regretting everything about this industry.

Original Report: https://thehackernews.com/2026/03/tax-search-ads-deliver-screenconnect.html