A threat actor tracked as DriveSurge has been running massive malware distribution campaigns using ClickFix and FakeUpdates techniques on compromised sites.
Thousands of websites were compromised in DriveSurge’s campaigns to redirect visitors to the malware’s delivery infrastructure, according to researchers at cybersecurity firm SilentPush.
ClickFix is a popular social engineering technique that tricks victims into copying and executing malicious commands on their systems, which often results in the entry of malware under the pretense of solving a technical problem.
In FakeUpdates attacks, malicious actors lure victims with fake software update tips, often masquerading as browser updates, to trick them into downloading and installing malicious payloads.
According to Silent Push researchers, the DriveSurge threat actor works primarily as an initial access vendor (IAB) that uses a pay-per-install (PPI) model, which allows serial attacks.
Visitors to vulnerable websites are redirected through a Traffic Distribution System (TDS) known as zTDS, which profiles them and determines whether a FakeUpdates or ClickFix lure is more appropriate.
.jpg)
Source: Quiet Push
zTDS is an open source TDS that has been around since at least 2015 and that DriveSurge has been using since at least September 2025.
“Using zTDS, DriveSurge hijacks thousands of legitimate, reputable websites and silently redirects visitors to malware, unbeknownst to site owners or their visitors,” says Silent Push.
FakeUpdates addicts contain fake update notifications for Chrome, Firefox, Edge, Safari, Opera, Brave, Yandex, Vivaldi, Samsung Internet, and UC Browser, while the ClickFix attack includes PowerShell commands.
The case highlighted in the Silent Push report involved a fake Firefox updater that downloaded a ZIP archive containing multiple DLLs and a malicious executable called ‘BrowserUpdate.exe.’
Source: Quiet Push
The researchers identified eight technical fingerprints linked to the campaign that helped identify DriveSurge’s infrastructure and vulnerable websites.
Among them is JavaScript injection following ‘t.js?site=
Through analysis, Silent Push found more than 80 malicious injection domains and a set of pre-packaged domains that had not yet been used in an attack.
In addition, the researchers found a JavaScript payload designed to target macOS desktop systems, delivered via a ClickFix-themed authentication attack that hijacks the clipboard, indicating that the campaign extends beyond Windows.
Users are advised to only download browser updates from their app’s settings menu (About > Check for updates) and avoid executing commands through a Windows command or Terminal that they don’t fully understand.
Automated testing tools deliver real value, but they’re designed to answer one question: can an attacker deploy on a network? They are not designed to check that your controls block threats, your firewall detection, or your cloud configs.
This guide covers the 6 areas you really need to verify.
Download Now
