A threat actor tracked as DriveSurge has been operating large-scale malware distribution campaigns using ClickFix and FakeUpdates techniques on compromised sites.
Thousands of websites have been compromised in DriveSurge campaigns to redirect visitors to malware-delivery infrastructure, according to researchers at cybersecurity company SilentPush.
ClickFix is a popular social engineering tactic that deceives victims into copying and executing malicious commands on their systems, often resulting in malware infections under the pretense of resolving a technical issue.
In FakeUpdates attacks, threat actors entice victims with fraudulent software update prompts, usually impersonating browser updates, to trick them into downloading and installing malicious payloads.
According to Silent Push researchers, the DriveSurge threat actor primarily functions as an initial access broker (IAB) operating on a pay-per-install (PPI) model, enabling follow-on attacks.
Visitors of compromised websites are redirected through a Traffic Distribution System (TDS) known as zTDS, which profiles them and determines whether a FakeUpdates or a ClickFix lure is more appropriate.
.jpg)
Source: Silent Push
zTDS is an open-source TDS that has existed since at least 2015 and that DriveSurge has been using since at least September 2025.
“Using zTDS, DriveSurge hijacks thousands of legitimate, high-reputation websites and silently redirects visitors to malware, unbeknownst to the sites’ owners or their visitors,” Silent Push says.
The FakeUpdates lures contain bogus update notices for Chrome, Firefox, Edge, Safari, Opera, Brave, Yandex, Vivaldi, Samsung Internet, and UC Browser, while the ClickFix attacks involve PowerShell commands.
A case highlighted in the Silent Push report involves a fake Firefox update that downloaded a ZIP archive containing multiple DLLs and a malicious executable named ‘Browser Update.exe.’
Source: Silent Push
The researchers identified eight technical fingerprints linked to the campaign that helped identify DriveSurge infrastructure and compromised websites.
Among them is a JavaScript injection following the ‘t.js?site=<id>’ pattern, where < id> is a unique value assigned to each compromised website.
Through analysis, Silent Push discovered more than 80 malicious injection domains and a set of pre-weaponized domains that had not yet been used in attacks.
Additionally, the researchers discovered an obfuscated JavaScript payload specifically designed to target macOS desktop systems, delivered via verification-themed ClickFix attacks that hijack the clipboard, indicating that the campaign extends beyond Windows.
Users are recommended to download browser updates only from their app’s settings menu (About > Check for Updates) and to avoid executing commands in the Windows command prompt or Terminal that they don’t fully understand.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.