During retrospective threat hunting, the Huntress Tactical Response team recently uncovered a large-scale malvertising campaign that has been active since at least January 2026, targeting U.S.-based individuals searching for tax-related documents. The lures are specifically U.S. tax forms (W-2, W-9), and the fake landing pages reference IRS compliance, casting a wide net across employees, freelancers, contractors, and small businesses during filing season. The campaign abuses Google Ads to serve rogue ScreenConnect (ConnectWise Control) installers, ultimately delivering a BYOVD EDR killer that drops a kernel driver to blind security tools before further compromise. Across our customer base, we reported over 60 instances of rogue ScreenConnect sessions tied to this campaign being used as the initial access vector.