New Malware Campaigns Target Thousands of Sites
A threat actor known as DriveSurge is actively compromising thousands of legitimate websites to distribute malware through sophisticated ClickFix and FakeUpdates attacks. This large-scale operation redirects unsuspecting visitors to malicious infrastructure, often without the knowledge of site owners or users.
DriveSurge Employs Social Engineering and Traffic Redirection
DriveSurge functions as an initial access broker (IAB), operating on a pay-per-install (PPI) model to facilitate further attacks. The group uses a Traffic Distribution System (TDS) called zTDS, an open-source tool active since at least 2015, which DriveSurge has utilized since September 2025.
zTDS profiles visitors to compromised websites, determining whether a FakeUpdates or a ClickFix lure is more effective. This system silently redirects users to malware, making the attacks highly targeted and difficult to detect.
Understanding ClickFix and FakeUpdates
ClickFix is a social engineering tactic that tricks victims into copying and executing malicious commands on their systems, often disguised as a technical fix. These attacks typically involve PowerShell commands on Windows systems.
FakeUpdates attacks entice victims with fraudulent software update prompts, frequently impersonating browser updates, to trick them into downloading and installing malicious payloads. These bogus updates target popular browsers like Chrome, Firefox, Edge, Safari, Opera, Brave, Yandex, Vivaldi, Samsung Internet, and UC Browser.
Technical Details and macOS Targeting
Researchers at cybersecurity company SilentPush identified eight technical fingerprints linked to the DriveSurge campaign, helping to map their infrastructure and compromised websites. One key fingerprint is a JavaScript injection following the `t.js?site= id` pattern, where `id` is a unique value for each compromised site.
SilentPush discovered over 80 malicious injection domains and a set of pre-weaponized domains ready for future attacks. Notably, the campaign extends beyond Windows, with an obfuscated JavaScript payload specifically designed for macOS desktop systems.
- FakeUpdates lures impersonate updates for ten different browsers.
- A fake Firefox update delivered a ZIP archive containing multiple DLLs and a malicious executable named `Browser Update.exe`.
- ClickFix attacks on macOS involve verification-themed prompts that hijack the clipboard to deliver malicious commands.
- DriveSurge uses zTDS, an open-source Traffic Distribution System, since at least September 2025.
Key Points
- DriveSurge compromises thousands of legitimate websites for malware distribution.
- Attacks use ClickFix (malicious commands) and FakeUpdates (bogus browser updates).
- A Traffic Distribution System (TDS) called zTDS profiles visitors and delivers targeted lures.
- SilentPush researchers identified eight technical fingerprints linked to DriveSurge's infrastructure.
- The campaign targets both Windows and macOS systems.
The Bottom Line
The DriveSurge campaign highlights the persistent threat of social engineering and compromised legitimate websites. Users should only download software updates directly from their application's settings menu and avoid executing commands they do not fully understand in their system's command prompt or Terminal. Staying vigilant against unexpected update prompts is crucial for protecting your systems.