The HwAudKiller malvertising campaign, active since January 2026, delivers trojanized ConnectWise ScreenConnect installers via fraudulent Google Ads targeting tax-season searches, then loads a signed but vulnerable Huawei audio driver (HWAuidoOs2Ec.sys) via BYOVD to terminate EDR tools including Microsoft Defender, Kaspersky, and SentinelOne at the kernel level before performing LSASS credential dumping and deploying stacked RMM tools for persistent access. No CVE has been assigned to the Huawei driver vulnerability as of 2026-03-04; attribution is unconfirmed. Verify any ScreenConnect installer hash against official ConnectWise release hashes immediately, block HWAuidoOs2Ec.sys via WDAC, hunt for LSASS access events and FleetDeck Agent installations not authorized by IT, and treat any EDR telemetry gap as a high-confidence investigation trigger.