Author: anonymousmedia_tal70o

Ravie LakshmananMar 25, 2026Network Security / Data Protection

The U.S. Federal Communications Commission (FCC) said on Monday that it was banning the import of new, foreign-made consumer routers, citing “unacceptable” risks to cyber and national security.

The action was designed to safeguard Americans and the underlying communications networks the country relies on, FCC Chairman Brendan Carr said in a post on X. The development means that new models of foreign-produced routers will no longer be eligible for marketing or sale in the U.S. The move comes in the wake of a national security determination provided by Executive Branch Agencies, Carr added.

To that end, all consumer-grade routers manufactured in foreign countries have been added to the Covered List, unless they have been granted a Conditional Approval by the Department of War (DoW) or the Department of Homeland Security (DHS) after determining that they do not pose any risks.

As of writing, the approved list only includes drone systems and software-defined radios (SDRs) from SiFly Aviation, Mobilicom, ScoutDI, and Verge Aero. Producers of consumer-grade routers can submit an application for Conditional Approval. According to BBC News, Starlink Wi-Fi routers are exempt from the policy, as they are made in the U.S. state of Texas.

“The Executive Branch determination noted that foreign-produced routers (1) introduce ‘a supply chain vulnerability that could disrupt the U.S. economy, critical infrastructure, and national defense’ and (2) pose ‘a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons,’” the FCC said.

The agency said both state and non-state sponsored threat actors have exploited security shortcomings in small and home office routers to break into American households, disrupt networks, facilitate cyber espionage, and enable intellectual property theft. Furthermore, these devices could be conscripted into massive networks with the goal of carrying out password spraying and unauthorized network access, as well as acting as proxies for espionage.

China-nexus adversaries such as Volt Typhoon, Flax Typhoon, and Salt Typhoon have also been observed leveraging botnets comprising foreign-made routers to conduct cyber attacks on critical American communications, energy, transportation, and water infrastructure.

“In Salt Typhoon attacks, state-sponsored cyber threat actors leveraged compromised and foreign-produced routers to jump to embed and gain long-term access to certain networks and pivot to others depending on their target,” according to the National Security Determination (NSD).

Also highlighted by the U.S. government is a botnet dubbed CovertNetwork-1658 (aka Quad7), which has been used to orchestrate highly evasive password spray attacks. The activity is assessed to be the work of a Chinese threat actor tracked as Storm-0940.

It’s worth noting that the Covered List update does not affect a customer’s continued use of routers that were already purchased. Nor does it impact retailers, who can continue to sell, import, or market router models that were approved previously through the FCC’s equipment authorization process.

“Unsecure and foreign-produced routers are prime targets for attackers and have been used in multiple recent cyber attacks to enable hackers to gain access to networks and use them as launching pads to compromise critical infrastructure,” the NSD said. “The vulnerabilities introduced into American networks and critical infrastructure resulting from foreign-manufactured routers are unacceptable.”

Routers have been a lucrative target for cyber attacks, as they serve as the primary conduit for internet access. Compromised routers could allow threat actors to conduct network surveillance, exfiltrate data, and even deliver malware to victims. In 2014, journalist Glenn Greenwald alleged in his book No Place to Hide how the U.S. National Security Agency (NSA) routinely intercepts routers before U.S. manufacturers can export them in order to implant backdoors.

Ravie LakshmananMar 24, 2026Endpoint Security / Social Engineering

A large-scale malvertising campaign active since January 2026 has been observed targeting U.S.-based individuals searching for tax-related documents to serve rogue installers for ConnectWise ScreenConnect that drop a tool named HwAudKiller to blind security programs using the bring your own vulnerable driver (BYOVD) technique.

“The campaign abuses Google Ads to serve rogue ScreenConnect (ConnectWise Control) installers, ultimately delivering a BYOVD EDR killer that drops a kernel driver to blind security tools before further compromise,” Huntress researcher Anna Pham said in a report published last week.

The cybersecurity vendor said it identified over 60 instances of malicious ScreenConnect sessions tied to the campaign. The attack chain stands out for a couple of reasons. Unlike recent campaigns highlighted by Microsoft that leverage tax-themed lures, the newly flagged activity employs commercial cloaking services to avoid detection by security scanners and abuses a previously undocumented Huawei audio driver to disarm security solutions.

The exact objectives of the campaign are currently not clear; however, in at one instance, the threat actor is said to have leveraged the access to deploy the endpoint detection and response (EDR) killer and then dump credentials from the Local Security Authority Subsystem Service (LSASS) process memory, as well as use tools like NetExec for network reconnaissance and lateral movement.

These tactics, per Huntress, align with pre-ransomware or initial access broker behavior, suggesting that the threat actor is looking to either deploy ransomware or monetize the access by selling it to other criminal actors.

The attack begins when users search for terms like “W2 tax form” or “W-9 Tax Forms 2026” on search engines like Google, tricking them into clicking on sponsored search results that direct users to bogus sites like “bringetax[.]com/humu/” to trigger the delivery of the ScreenConnect installer.

What’s more, the landing page is protected by a PHP-based Traffic Distribution System (TDS) powered by Adspect, a commercial cloaking service, to ensure that a benign page is served to security scanners and ad review systems, while only real victims see the actual payload.

This is achieved by generating a fingerprint of the site visitor and sending it to the Adspect backend, which then determines the appropriate response. In addition to Adspect, the landing page’s “index.php” features a second cloaking layer powered by JustCloakIt (JCI) on the server side.

“The two cloaking services are stacked in the same index.php—JCI’s server-side filtering runs first, while Adspect provides client-side JavaScript fingerprinting as a second layer,” Pham explained.

The web pages lead to the distribution of ScreenConnect installers, which are then used to deploy multiple trial instances on the compromised host. The threat actor has also been found to drop additional Remote Monitoring and Management (RMM) tools like FleetDeck Agent for redundancy and ensuring persistent remote access.

The ScreenConnect session is leveraged to drop a multi-stage crypter that acts as a conduit for an EDR killer codenamed HwAudKiller that uses the BYOVD technique to terminate processes associated with Microsoft Defender, Kaspersky, and SentinelOne. The vulnerable driver used in the attack is “HWAuidoOs2Ec.sys,” a legitimate, signed Huawei kernel driver designed for laptop audio hardware.

“The driver terminates the target process from kernel mode, bypassing any usermode protections that security products rely on. Because the driver is legitimately signed by Huawei, Windows loads it without complaint despite Driver Signature Enforcement (DSE),” Huntress noted.

The crypter, for its part, attempts to evade detection by allocating 2GB of memory and filling it with zeros, and then freeing it, effectively causing antivirus engines and emulators to fail due to high resource allocation.

It’s currently not known who is behind the campaign, but an exposed open directory in the threat actor-controlled infrastructure has revealed a fake Chrome update page containing JavaScript code with Russian-language comments. This alludes to a Russian-speaking developer in possession of a social engineering toolkit for malware distribution.

“This campaign illustrates how commodity tooling has lowered the barrier for sophisticated attacks,” Pham said. “The threat actor didn’t need custom exploits or nation-state capabilities, they combined commercially available cloaking services (Adspect and JustCloakIt), free-tier ScreenConnect instances, an off-the-shelf crypter, and a signed Huawei driver with an exploitable weakness to build an end-to-end kill chain that goes from a Google search to kernel-mode EDR termination.”

“A consistent pattern across compromised hosts was the rapid stacking of multiple remote access tools. After the initial rogue ScreenConnect relay was established, the threat actor deployed additional trial ScreenConnect instances on the same endpoint, sometimes two or three within hours, and backup RMM tools like FleetDeck.”