What happened
A new campaign is using tax-themed Google Ads to lure users into downloading malicious files that deploy a Bring Your Own Vulnerable Driver (BYOVD) technique to disable endpoint detection and response (EDR) protections. Victims searching for tax-related tools are redirected to fake websites that deliver malware capable of installing vulnerable drivers, which are then abused to terminate security processes and evade detection. The attack chain ultimately allows threat actors to execute payloads on compromised systems without interference from security software, making the infections more difficult to detect and remediate.
Who is affected
Users searching for tax-related services or software via Google Ads are affected, particularly those who download tools from spoofed websites promoted through sponsored results.
Why CISOs should care
The campaign shows how attackers are combining search engine advertising abuse with BYOVD techniques to bypass security controls and execute malware in protected environments.
3 practical actions
- Restrict downloads from sponsored links. Treat software delivered via Google Ads with caution and verify sources before installation.
- Monitor for vulnerable driver abuse. Detect unauthorized driver installations and abnormal termination of security tools.
- Harden endpoint protections. Implement controls to block or alert on known vulnerable drivers used in BYOVD attacks.
For more coverage of malicious software and evolving attack techniques, explore our reporting under the Malware tag.