A cybercriminal group known as DriveSurge has been actively carrying out large-scale malware distribution campaigns utilizing ClickFix and FakeUpdates techniques on compromised websites. Researchers at cybersecurity firm SilentPush have reported that thousands of websites have fallen victim to DriveSurge’s campaigns, redirecting unsuspecting visitors to malware-infested platforms.
ClickFix, a well-known social engineering tactic, dupes users into executing malicious commands on their systems under the guise of resolving technical issues. This often leads to malware infections, exploiting the victims’ trust in fixing apparent problems.
FakeUpdates attacks, on the other hand, involve tempting victims with deceptive software update prompts, commonly masquerading as browser updates. These prompts trick users into downloading and installing malicious payloads, putting their systems at risk.
According to SilentPush researchers, DriveSurge primarily operates as an initial access broker (IAB) on a pay-per-install (PPI) model, facilitating subsequent attacks. Visitors to compromised websites are rerouted through a Traffic Distribution System (TDS) named zTDS, which assesses and determines whether a FakeUpdates or ClickFix lure is more suitable for the target.
.jpg)
zTDS, an open-source TDS dating back to at least 2015, has been in DriveSurge’s arsenal since September 2025. The group leverages zTDS to covertly redirect visitors of legitimate, high-reputation websites to malware-infected pages without the site owners or visitors being aware.
The FakeUpdates baits present false update alerts for various browsers, including Chrome, Firefox, Edge, Safari, and others, while ClickFix attacks involve the execution of PowerShell commands.
An incident highlighted in the SilentPush report showcases a fabricated Firefox update that triggered the download of a ZIP archive containing multiple DLLs and a malicious executable named ‘Browser Update.exe.’
The researchers identified eight distinctive technical fingerprints associated with the campaign that aided in identifying DriveSurge’s infrastructure and compromised websites. One such fingerprint is a JavaScript injection pattern ‘t.js?site=<id>’ where <id> represents a unique identifier for each compromised site.
Through their analysis, SilentPush uncovered over 80 malicious injection domains and a collection of pre-weaponized domains that had yet to be utilized in attacks. Furthermore, they detected an obfuscated JavaScript payload tailored for macOS systems, distributed through verification-themed ClickFix attacks that manipulate the clipboard, indicating a broad reach beyond Windows devices.
As a precautionary measure, users are advised to exclusively download browser updates through the respective app’s settings menu (About > Check for Updates) and refrain from executing unfamiliar commands in the Windows command prompt or Terminal.
Automated pentesting tools bring tangible benefits, but their primary focus lies in determining an attacker’s ability to navigate through a network. They do not assess the effectiveness of your security controls, detection mechanisms, or cloud configurations.
This comprehensive guide outlines the key areas that require validation for robust cybersecurity.
Download Now
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
