03.06.2026
3 min
86
Cybersecurity researchers have uncovered a large-scale campaign by the DriveSurge threat group, which is using thousands of compromised websites to distribute malware through ClickFix and FakeUpdate lures. According to researchers at Silent Push, the hacked sites redirect visitors to a malicious infrastructure designed to deliver malware payloads.
Researchers believe DriveSurge primarily operates as an Initial Access Broker (IAB). The group follows a pay-per-install (PPI) model, effectively providing other cybercriminals with access to infected devices that can later be used in follow-on attacks.
At the core of the operation is a traffic distribution system known as zTDS. The platform profiles visitors and determines whether they should be targeted with a FakeUpdate or ClickFix attack. According to the researchers, the open-source tool has been around since at least 2015, while DriveSurge has been using it since at least September 2025.
As Silent Push explains:
“By leveraging zTDS, DriveSurge compromises thousands of legitimate, high-reputation websites and silently redirects visitors to malware without the knowledge of either site owners or their users.”
ClickFix has become one of the most widely used social engineering techniques in recent years. Victims are shown what appears to be a technical issue and are instructed to copy and run a command on their system. In reality, the command initiates the malware infection process.
FakeUpdate attacks take a slightly different approach. Victims are presented with a fake browser or software update prompt and tricked into downloading what appears to be a legitimate update. In reality, the download installs malware on the target system.
During their investigation, researchers identified lures targeting users of Chrome, Firefox, Edge, Safari, Opera, Brave, Yandex Browser, Vivaldi, Samsung Internet, and UC Browser. While the ClickFix attacks relied on PowerShell commands, one of the FakeUpdate examples involved a fraudulent Firefox update.
In that case, victims downloaded a ZIP archive containing several DLL files along with a malicious executable named “Browser Update.exe.”
Researchers identified eight technical indicators that helped them track DriveSurge’s infrastructure and uncover compromised websites. One of the key indicators was a JavaScript injection pattern, t.js?site=<id>, where each infected website was assigned a unique identifier.
Using these indicators, the researchers discovered more than 80 domains already being used to distribute malware, as well as a number of pre-configured domains that had not yet been deployed in active attacks.
The investigation also revealed that the campaign is not limited to Windows users. Silent Push identified an obfuscated JavaScript payload targeting macOS desktop systems. The payload was delivered through ClickFix pages disguised as verification prompts and included clipboard-hijacking functionality.
Researchers recommend installing browser updates only through official update mechanisms within the browser itself, such as the “About” menu and built-in update checks. Users are also advised never to run PowerShell, Command Prompt, or Terminal commands unless they fully understand what those commands do.
