The attacker, tracked as DriveSurge, is operating a large-scale malware distribution marketing campaign utilizing ClickFix and FakeUpdates methods on compromised websites.
1000’s of internet sites had been compromised by the DriveSurge marketing campaign, which redirected guests to malware distribution infrastructure, in response to researchers at cybersecurity agency SilentPush.
ClickFix is a typical social engineering tactic that tips victims into copying and operating malicious instructions on their programs, usually inflicting a malware an infection underneath the guise of resolving a technical difficulty.
In FakeUpdates assaults, risk actors lure victims with malicious software program replace prompts, normally disguised as browser updates, into downloading and putting in a malicious payload.
In response to Silent Push researchers, the DriveSurge risk actor primarily acts as an preliminary entry dealer (IAB) working on a pay-per-install (PPI) mannequin to allow subsequent assaults.
Guests to a compromised web site are redirected by way of a visitors distribution system (TDS) generally known as zTDS, which profiles the customer and determines whether or not FakeUpdates or ClickFix lures are acceptable.
.jpg)
Supply: Silent Push
zTDS is an open supply TDS that has been round since not less than 2015 and has been utilized by DriveSurge since not less than September 2025.
“DriveSurge makes use of zTDS to hijack hundreds of authentic and respected web sites, silently redirecting guests to the malware with out the data of website house owners or guests,” Silent Push mentioned.
FakeUpdates decoys comprise pretend replace notifications for Chrome, Firefox, Edge, Safari, Opera, Courageous, Yandex, Vivaldi, Samsung Web, and UC Browser, and ClickFix assaults comprise PowerShell instructions.
The incident highlighted within the Silent Push report includes a pretend Firefox replace that downloads a ZIP archive containing a number of DLLs and a malicious executable named “Browser Replace.exe.”
Supply: Silent Push
Researchers recognized eight technical fingerprints related to the marketing campaign that helped determine DriveSurge infrastructure and compromised web sites.
Amongst them is a JavaScript injection following “t.js?website=”.
By means of evaluation, Silent Push found over 80 malicious injection domains and a set of pre-weaponized domains that haven’t but been utilized in assaults.
Moreover, researchers found an obfuscated JavaScript payload particularly designed to focus on macOS desktop programs. This payload was delivered by a validation-themed ClickFix assault that hijacked the clipboard, indicating the marketing campaign’s attain past Home windows.
We suggest that customers solely obtain browser updates from the app’s settings menu (About > Verify for updates) and keep away from operating instructions in Home windows Command Immediate or Terminal that they do not absolutely perceive.
Automated penetration testing instruments provide actual worth, however they had been constructed to reply one query: Can an attacker get by way of your community? They don’t seem to be constructed to check whether or not controls block threats, detection guidelines hearth, or cloud configurations are preserved.
This information describes six surfaces that it’s best to really study.
Obtain now
