Blog Details

A threat actor tracked as DriveSurge has been working mammoth-scale malware distribution campaigns using ClickFix and FakeUpdates ways on compromised websites.

Hundreds of websites were compromised in DriveSurge campaigns to redirect company to malware-transport infrastructure, according to researchers at cybersecurity company SilentPush.

ClickFix is a favored social engineering tactic that deceives victims into copying and executing malicious instructions on their systems, customarily ensuing in malware infections below the pretense of resolving a technical remark.

In FakeUpdates assaults, threat actors entice victims with incorrect tool update prompts, on the total impersonating browser updates, to trick them into downloading and placing in malicious payloads.

In step with Quiet Push researchers, the DriveSurge threat actor essentially functions as an initial fetch entry to broker (IAB) working on a pay-per-set up (PPI) mannequin, enabling be conscious-on assaults.

Guests of compromised websites are redirected by a Traffic Distribution System (TDS) identified as zTDS, which profiles them and determines whether or no longer a FakeUpdates or a ClickFix lure is more relevant.

zTDS is an open-source TDS that has existed since no longer no longer as much as 2015 and that DriveSurge has been using since no longer no longer as much as September 2025.

“The utilization of zTDS, DriveSurge hijacks thousands of legit, excessive-popularity websites and silently redirects company to malware, unbeknownst to the websites’ owners or their company,” Quiet Push says.

The FakeUpdates lures gather bogus update notices for Chrome, Firefox, Edge, Safari, Opera, Plucky, Yandex, Vivaldi, Samsung Web, and UC Browser, while the ClickFix assaults gather PowerShell instructions.

A case highlighted in the Quiet Push command involves a incorrect Firefox update that downloaded a ZIP archive containing multiple DLLs and a malicious executable named ‘Browser Replace.exe.’

The researchers identified eight technical fingerprints linked to the campaign that helped name DriveSurge infrastructure and compromised websites.

Amongst them is a JavaScript injection following the ‘t.js?situation=’ pattern, the set < identification> is a definite price assigned to each compromised websites.

By evaluation, Quiet Push stumbled on bigger than 80 malicious injection domains and a situation of pre-weaponized domains that had no longer yet been dilapidated in assaults.

Moreover, the researchers stumbled on an obfuscated JavaScript payload particularly designed to present consideration to macOS desktop systems, delivered by verification-themed ClickFix assaults that hijack the clipboard, indicating that the campaign extends beyond Windows.

Customers are instructed to fetch browser updates easiest from their app’s settings menu (About > Test for Updates) and to preserve away from executing instructions in the Windows uncover instructed or Terminal that they don’t fully realize.