TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

How a Tax Search Leads to Kernel-Mode AV/EDR Kill

2026-03-19 · Read original ↗

ATT&CK techniques detected

24 predictions
T1003.001LSASS Memory
99%
“called firskill : c : \ users \ administrator \ downloads \ firskill \ x64 \ release \ hwaudkiller. pdb ) with an expanded kill list that adds five fortiedr processes to the original targets. the attack followed a rapid, hands - on - keyboard progression. after authenticating via…”
T1055.001Dynamic-link Library Injection
99%
“##wx memory or a direct call / jmp to the shellcode address, fatmalloc passes the shellcode ' s address as the dwuser data parameter ( 4th argument ) to timesetevent, with a small wrapper function fptc as the actual callback ( 3rd argument ). when the timer fires after 100ms, win…”
T1003.001LSASS Memory
99%
“lsass " " ' ) do rundll32. exe c : \ windows \ system32 \ comsvcs. dll, # + 000024 % b \ windows \ temp \ < random >. log full from there, the attacker pivoted to network reconnaissance using netscan, a network discovery tool, and prepared a list of target ip addresses. they then…”
T1055.001Dynamic-link Library Injection
97%
“key used for decryption of the final payload. figure 11 : choc configuration block choc header layout : figure 12 : each byte is decrypted by xoring the source with the key ( 0x0d ) plus the previously decrypted byte after xor decryption, the first four bytes of the decrypted buf…”
T1219Remote Access Tools
97%
“, a sign of active but somewhat careless development. what can we learn? this campaign illustrates how commodity tooling has lowered the barrier for sophisticated attacks. the threat actor didn ' t need custom exploits or nation - state capabilities, they combined commercially av…”
T1055.001Dynamic-link Library Injection
95%
“purpose. first, some sandboxes typically run with limited memory, so a 2gb allocation will likely fail and since the payload only executes inside the if ( block ) branch, a failed allocation causes the malware to silently exit without ever reaching the malicious code. second, av …”
T1068Exploitation for Privilege Escalation
95%
“, particularly those using trial instance - * relay patterns or y = guest session roles, should be flagged and investigated. if your organization does not use screenconnect, consider blocking it entirely. kernel driver load monitoring : alert on kernel driver service creation ( t…”
T1068Exploitation for Privilege Escalation
95%
“the target process from kernel mode, bypassing any usermode protections that security products rely on. because the driver is legitimately signed by huawei, windows loads it without complaint despite driver signature enforcement ( dse ). inside the driver the driver ( hwauidoos2e…”
T1566.002Spearphishing Link
90%
“social engineering templates point to an operator running parallel lure campaigns adapted to whatever gets clicks. how it happened the user searched for “ w2 tax form, ” and the top result was a google ads link that redirected to a malicious page serving a rogue screenconnect ins…”
T1055.001Dynamic-link Library Injection
86%
“##iled kill function from the huawei driver - mw _ zwopenprocess _ wrapper opens a handle to the target pid with process _ all _ access, then zwterminateprocess kills it, and zwclose releases the handle. no validation is performed on the target process. figure 14 : huntress detec…”
T1219Remote Access Tools
85%
“pattern, which is characteristic of connectwise ' s free / trial cloud instances, and the session parameters include y = guest, the default role for trial / unmanaged setups. legitimate enterprise deployments typically use custom domains or dedicated subdomains with named session…”
T1068Exploitation for Privilege Escalation
77%
“##waudkiller embeds a legitimate, signed huawei kernel driver that it uses to terminate protected processes from kernel mode. as of this writing, this driver does not appear in the loldrivers database, microsoft ' s recommended driver block list, or any prior public research, mak…”
T1068Exploitation for Privilege Escalation
76%
“and clrcreateinstance from mscoree. dll ), suggesting the loader is a generic framework designed to also handle. net assembly payloads, though in this case the final payload is a native x64 pe. hwaudkiller the payload that emerges from this unpacking chain is hwaudkiller, a byovd…”
T1068Exploitation for Privilege Escalation
74%
“an 8 - byte rolling key ( 41 73 61 40 41 31 61 40 ), writes it to % temp % \ havoc. sys, and loads it as a kernel service via sc create havoc binpath = < path > type = kernel start = demand followed by sc start havoc. once the driver is loaded, hwaudkiller enters a continuous loo…”
T1055.001Dynamic-link Library Injection
57%
“##umwindows, and dozens of other windows apis that accept function pointers as callbacks for the same purpose. figure 7 : snippet of the embedded shellcode shellcode decryption starting at offset 0xf4 the shellcode is xor - encrypted. a decoder stub at the beginning of the blob h…”
T1055.001Dynamic-link Library Injection
55%
“##connect \ 25. 9. 5. 9473 \ crypteds. exe the file turned out to be a multi - stage crypter that ultimately decrypts and loads hwaudkiller, a byovd ( bring your own vulnerable driver ) tool that drops a kernel driver named “ havoc ” to terminate av / edr processes. let ’ s try t…”
T1055.001Dynamic-link Library Injection
54%
“as a strong indicator of compromise. the use of a previously undocumented huawei audio driver ( hwauidoos2ec. sys ) as a byovd weapon is particularly notable. despite being a legitimate, signed driver from a major hardware vendor, it exposes a kernel - mode process termination io…”
T1027Obfuscated Files or Information
52%
“##umwindows, and dozens of other windows apis that accept function pointers as callbacks for the same purpose. figure 7 : snippet of the embedded shellcode shellcode decryption starting at offset 0xf4 the shellcode is xor - encrypted. a decoder stub at the beginning of the blob h…”
T1068Exploitation for Privilege Escalation
49%
“##connect \ 25. 9. 5. 9473 \ crypteds. exe the file turned out to be a multi - stage crypter that ultimately decrypts and loads hwaudkiller, a byovd ( bring your own vulnerable driver ) tool that drops a kernel driver named “ havoc ” to terminate av / edr processes. let ’ s try t…”
T1555.003Credentials from Web Browsers
47%
“base, we reported over 60 instances of rogue screenconnect sessions tied to this campaign being used as the initial access vector. the attack chain is layered : dual commercial cloaking services filter out researchers and scanners, trial screenconnect instances provide hands - on…”
T1566.002Spearphishing Link
39%
“campaigns will keep slipping through platform review. - stacking rmm tools signals persistence, not convenience. when multiple screenconnect relays and backup tools like fleetdeck appear on the same host within hours, it ' s not a coincidence, it ' s an attacker building redundan…”
T1574.001DLL
38%
“as a strong indicator of compromise. the use of a previously undocumented huawei audio driver ( hwauidoos2ec. sys ) as a byovd weapon is particularly notable. despite being a legitimate, signed driver from a major hardware vendor, it exposes a kernel - mode process termination io…”
T1204.002Malicious File
33%
“base, we reported over 60 instances of rogue screenconnect sessions tied to this campaign being used as the initial access vector. the attack chain is layered : dual commercial cloaking services filter out researchers and scanners, trial screenconnect instances provide hands - on…”
T1189Drive-by Compromise
30%
“social engineering templates point to an operator running parallel lure campaigns adapted to whatever gets clicks. how it happened the user searched for “ w2 tax form, ” and the top result was a google ads link that redirected to a malicious page serving a rogue screenconnect ins…”

Summary

Huntress uncovers a tax-themed malvertising campaign using Google Ads, dual cloaking, rogue ScreenConnect, and an undocumented Huawei driver to kill AV/EDR.