How a Tax Search Leads to Kernel-Mode AV/EDR Kill

A large-scale malvertising campaign abused Google Ads and layered cloaking (Adspect, JustCloakIt) to deliver rogue ScreenConnect installers hosted on 4sync; the installers ran a multi-stage crypter (FatMalloc) that loaded HwAudKiller, which leverages a legitimately signed Huawei audio driver (HWAuidoOs2Ec.sys / Havoc.sys) as a BYOVD to terminate EDR/AV from kernel mode, enabling LSASS dumping, mass credential harvesting, and further lateral compromise—report includes IoCs, YARA rules, and detection/mitigation guidance.