From the click to the kernel: the maldumping campaign that disables EDR with signed drivers

A massive maldumping campaign that was detected in early 2026 took advantage of the search for tax documents to bring victims in the United States to malicious installers who deliver a security solution killer in kernel mode. According to the analysis published by the Huntress cybersecurity firm, the sponsored ads redirected to trickster pages that distributed ConnectWise ScreenConnect installers (also known as ConnectWise Control) and, from there, deployed a chain of attack designed to blind endpoint defenses before moving forward on the engagement. You can read Huntress's technical report here: Huntress - W2 maldumping to kernel mode EDR kill.

What makes this operation particularly dangerous is not only the use of social engineering on tax issues, but the combination of commercial tools and legitimate components. The attackers used commercial landing services to make the scanners and ad review systems see a harmless page, while the real people received the malicious installer. According to Huntress, the infrastructure included at least two layers of concealment: one based on Adspect and one based on JustCloakIt, which together verify the visitor's prints and decide what content to serve. This type of TDS (Traffic Distribution System) allowed them to evade automatic detections and focus delivery.

The critical piece of the malicious chain is a module that researchers have named HwAudKiller. This component takes advantage of a technique known as "Bring Your Own Vulnerable Driver" (BYOVD), in which a legitimate and signed controller is loaded that contains usable vulnerabilities to execute actions from the kernel. In this case, the driver signed by a known audio hardware manufacturer - the HWAuidoOs2EC.sys file - was identified and used to finish safety product processes from kernel mode, something that user space controls cannot easily prevent.

The engineering behind the abuse of signed controllers is simple in its approach and alarming in its consequences: Windows allows to load signed drivers without skipping the signature check (Driver Signature Enforcement). If an attacker finds a legitimate controller that has functions that can be misused - for example, the ability to finish processes from the kernel - you can use it to deactivate EDRs and antivirus, opening the door to later tasks such as credentials or lateral movement.

Once initial persistence with ScreenConnect instances was achieved, operators deployed additional remote management and redundancy tools, including multiple ScreenConnect test instances and RMM agents such as FleetDeck, so as not to lose access if an instance was detected. In addition, at least one incident observed the memory overturn of the LSASS process and the use of audit and lateral movement utilities such as NetExec. These actions fit in with observed behaviour in actors that prepare the ground to deploy ransomware or to sell access in clandestine markets.

The attackers also attempted to evade detection platforms by means of obfuscation and resource abuse techniques. The crypter used by the operators assigned and filled two gigabytes of memory with zeros and then released that block, a trick designed to make emulators and sandboxes fail by high memory consumption and thus reduce the probability of detection by dynamic analysis.

Among the technical indicators there is another interesting detail: in a public folder in the attacker's infrastructure a fake Chrome update page appeared with Russian comments on the JavaScript code, suggesting the participation of a Russian-speaking developer or the use of tools available in that community. This does not amount to definitive attribution, but it provides clues about the origin of the social and technical tool used to deceive victims.

This case shows a worrying trend: The combination of commercial services, free or test remote access tools, out-of-box crypters and signed but insecure controllers allows actors with modest resources to mount sophisticated attack chains without exploiting zero-day vulnerabilities or own nation-state capabilities. Huntress summarizes this by pointing out that the entry barrier for advanced operations has been reduced by combining market components.

What can companies and users do to reduce the risk of such attacks? First, it is appropriate to strengthen controls over the installation of remote software and to review any unexpected appearance of incoming ScreenConnect connections or RMM tools. In corporate environments, applying driver control policies and white list of drivers helps to mitigate the abuse of signed components; Microsoft documents driver signature policies in its technical documentation on kernel-mode code signing Here.. It is also recommended to enable credentials protection technologies such as Creative Guard to make it difficult for LSASS ( Microsoft documentation).

At the operational level, blocking domains and patterns observed in distribution chains, restricting the execution of downloaded installers from sponsored ads, segmenting the network and applying monitoring that detects the installation or unusual execution of multiple remote agents are effective measures. In order to defend itself from avoidance techniques such as those described by the crypter, it is important to have security solutions that incorporate telemetry into multiple layers (endpoint, network and cloud) and not only depend on static analysis or sandboxes with limited resources. Organizations should also maintain education policies for employees on the risks of following sponsored links that promise tax documents and always verify the legitimacy of domains and certificates.

To understand the tactical context, public references can be found on credentials theft techniques and lateral movement, such as the MITRE ATT & CK catalogue for "Creative Dumping" ( MITRE ATT & CK - T1003), which helps to correlate indicators and tactics used by the attackers.

In short, the campaign detected by Huntress is a wake-up call: not only does it again demonstrate the effectiveness of milling against users looking for legitimate services (such as tax forms), but it shows how the reuse of legitimate software with failures can become a powerful weapon when combined with commercial laundry services and remote access tools. Defending today requires a strategy that goes beyond signing drivers or relying on sandbox analysis: it requires performance controls, segmentation, multilevel detection and good digital hygiene by users.

If you want to deepen the technical details and indicators observed by the researchers, check the Huntress report mentioned above and consider reviewing your telemetry records to search for ScreenConnect installation patterns, connections to suspicious domains and the presence of unusual drivers in the hosts.