A threat actor known as DriveSurge operates large-scale malware distribution campaigns by compromising thousands of legitimate websites and redirecting visitors to malicious infrastructure using ClickFix and FakeUpdates techniques. The actor functions primarily as an initial access broker operating on a pay-per-install model, enabling follow-on attacks through a traffic distribution system called zTDS that profiles visitors and selects appropriate lures. FakeUpdates prompts impersonate browser updates for Chrome, Firefox, Edge, and other browsers, while ClickFix attacks involve deceptive PowerShell commands.
Silent Push researchers identified a JavaScript injection pattern following t.js?site=ID as a key fingerprint across compromised sites. One example involved a fake Firefox update delivering a ZIP archive containing DLLs and a malicious executable named Browser Update.exe. The researchers discovered over 80 malicious injection domains and a set of pre-weaponized domains not yet used in attacks.
The campaign also includes obfuscated JavaScript targeting macOS systems through clipboard-hijacking ClickFix attacks, indicating the operation extends beyond Windows. zTDS, an open-source traffic distribution system existing since at least 2015, has been used by DriveSurge since September 2025. Users are advised to download browser updates only through official settings menus and avoid executing unfamiliar commands in command prompts or terminals. The compromises occur without website owners' or visitors' knowledge.
Read more...