Investigators found that sponsored search results tied to queries such as “W-2 tax form” and “W-9 tax forms 2026” redirected users to convincing websites that mimic legitimate document portals. Victims downloading files from these pages unknowingly installed malware designed to undermine endpoint detection and response systems. The tactic reflects a growing shift among threat actors towards exploiting trusted online platforms to deliver malicious payloads at scale.
Central to the operation is the abuse of a known vulnerable driver associated with Huawei audio software. By loading this driver onto a target system, attackers are able to gain elevated privileges and terminate or disable security processes that would typically detect suspicious activity. This approach, widely referred to as BYOVD, has gained traction in cybercriminal circles because it leverages legitimate but flawed software components to evade scrutiny.
Huntress analysts reported that once defensive tools are neutralised, the attackers deploy remote management software, notably unauthorised instances of ScreenConnect, to carry out hands-on-keyboard activity. This stage enables operators to move laterally within networks, exfiltrate data or install additional malware, including ransomware. The use of legitimate remote access tools complicates detection, as such software is commonly used in enterprise environments for IT support.
The campaign’s structure suggests a well-organised operation rather than opportunistic cybercrime. Researchers observed consistent infrastructure patterns, coordinated advertisement placement and repeated use of similar payloads, indicating a level of planning and resource allocation typically associated with advanced threat groups or financially motivated syndicates. The targeting of tax-related keywords also points to seasonal timing, exploiting periods when individuals and businesses are actively searching for official forms.
Cybersecurity experts note that malvertising, the practice of embedding malicious links within online advertisements, has evolved significantly. Earlier campaigns often relied on exploit kits or drive-by downloads, but newer iterations prioritise user interaction, such as convincing victims to download files directly. This shift reflects improved browser security and growing awareness of traditional attack methods, pushing threat actors to refine social engineering techniques.
Industry data shows a steady increase in BYOVD attacks over the past two years, with multiple groups adopting the technique to disable antivirus and EDR platforms. Security vendors have responded by maintaining blocklists of known vulnerable drivers, but the vast number of outdated or flawed drivers in circulation presents an ongoing challenge. Attackers frequently rotate drivers or modify their delivery mechanisms to bypass these defences.
The involvement of widely used platforms such as Google Ads raises broader concerns about the integrity of online advertising ecosystems. While major technology companies have introduced stricter verification processes and automated detection systems, threat actors continue to find ways to circumvent safeguards. The scale and speed of digital advertising networks can allow malicious campaigns to reach large audiences before they are identified and removed.
Corporate environments face particular risk from such attacks, as employees searching for tax documents or financial templates may inadvertently introduce malware into organisational networks. Once inside, the combination of disabled security tools and legitimate remote access software provides attackers with a foothold that can be difficult to detect. Incident response teams often discover such intrusions only after suspicious activity or data loss becomes apparent.
Security professionals emphasise the importance of layered defence strategies to mitigate these threats. Restricting the use of unsigned or untrusted drivers, monitoring for unusual driver installations and enforcing application control policies can reduce exposure to BYOVD attacks. In addition, organisations are being urged to train staff to verify the authenticity of websites and avoid downloading files from sponsored search results without validation.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
