A risk actor tracked as DriveSurge has been working large-scale malware distribution campaigns utilizing ClickFix and FakeUpdates strategies on compromised websites.
1000’s of internet sites have been compromised in DriveSurge campaigns to redirect guests to malware-delivery infrastructure, in response to researchers at cybersecurity firm SilentPush.
ClickFix is a well-liked social engineering tactic that deceives victims into copying and executing malicious instructions on their techniques, usually leading to malware infections underneath the pretense of resolving a technical concern.
In FakeUpdates assaults, risk actors entice victims with fraudulent software program replace prompts, often impersonating browser updates, to trick them into downloading and putting in malicious payloads.
In accordance with Silent Push researchers, the DriveSurge risk actor primarily features as an preliminary entry dealer (IAB) working on a pay-per-install (PPI) mannequin, enabling follow-on assaults.
Guests of compromised web sites are redirected by a Visitors Distribution System (TDS) often called zTDS, which profiles them and determines whether or not a FakeUpdates or a ClickFix lure is extra applicable.
.jpg)
Supply: Silent Push
zTDS is an open-source TDS that has existed since no less than 2015 and that DriveSurge has been utilizing since no less than September 2025.
“Utilizing zTDS, DriveSurge hijacks 1000’s of reputable, high-reputation web sites and silently redirects guests to malware, unbeknownst to the websites’ homeowners or their guests,” Silent Push says.
The FakeUpdates lures include bogus replace notices for Chrome, Firefox, Edge, Safari, Opera, Courageous, Yandex, Vivaldi, Samsung Web, and UC Browser, whereas the ClickFix assaults contain PowerShell instructions.
A case highlighted within the Silent Push report includes a faux Firefox replace that downloaded a ZIP archive containing a number of DLLs and a malicious executable named ‘Browser Replace.exe.’
Supply: Silent Push
The researchers recognized eight technical fingerprints linked to the marketing campaign that helped determine DriveSurge infrastructure and compromised web sites.
Amongst them is a JavaScript injection following the ‘t.js?website=
By means of evaluation, Silent Push found greater than 80 malicious injection domains and a set of pre-weaponized domains that had not but been utilized in assaults.
Moreover, the researchers found an obfuscated JavaScript payload particularly designed to focus on macOS desktop techniques, delivered by way of verification-themed ClickFix assaults that hijack the clipboard, indicating that the marketing campaign extends past Home windows.
Customers are beneficial to obtain browser updates solely from their app’s settings menu (About > Verify for Updates) and to keep away from executing instructions within the Home windows command immediate or Terminal that they don’t absolutely perceive.
Automated pentesting instruments ship actual worth, however they have been constructed to reply one query: can an attacker transfer by the community? They weren’t constructed to check whether or not your controls block threats, your detection guidelines hearth, or your cloud configs maintain.
This information covers the 6 surfaces you truly have to validate.
