DriveSurge Hijacks Thousands of Websites in Massive ClickFix and FakeUpdates Malware Campaign

Hackers Compromise Thousands of Websites in Large-Scale ClickFix and FakeUpdate Malware Campaign

A threat actor known as DriveSurge has been linked to a widespread malware distribution campaign that hijacks thousands of legitimate websites to spread malicious payloads using ClickFix and FakeUpdates techniques, according to cybersecurity researchers.

Security firm Silent Push reports that compromised websites are being used as entry points to redirect visitors to attacker-controlled infrastructure designed for malware delivery. The campaign has been active since at least September 2025.

How the attack works

DriveSurge operates as an initial access broker (IAB), using a pay-per-install model to distribute malware and enable downstream cyberattacks.

Once a user visits a compromised website, they are redirected through a Traffic Distribution System (TDS) called zTDS, which evaluates the visitor and determines which social engineering tactic to deploy.

Depending on profiling results, victims are shown either:

• FakeUpdates lures, or
• ClickFix prompts

Social engineering techniques used

The campaign relies heavily on deception:

• FakeUpdates attacks trick users into downloading fake browser updates that impersonate software like Chrome, Firefox, Edge, Safari, Opera, Brave, and others. These downloads typically install malicious executables disguised as legitimate updates.
• ClickFix attacks manipulate users into copying and executing malicious commands, often under the false assumption that they are fixing a technical issue.

One observed case involved a fake Firefox update that delivered a ZIP file containing DLL components and a malicious executable named “Browser Update.exe”.

Technical infrastructure and scale

Researchers identified multiple indicators of compromise tied to the DriveSurge operation, including JavaScript injection patterns using the format t.js?site=<id>, where each compromised website is assigned a unique identifier.

Silent Push discovered:

• Over 80 malicious injection domains
• Additional unused but pre-configured infrastructure
• A set of fingerprints linking multiple compromised websites to the same campaign

The attackers are also leveraging zTDS, an open-source traffic distribution system that has been available since at least 2015.

Cross-platform targeting and evolution

While the campaign primarily targets Windows users, researchers also identified payloads designed for macOS systems. These variants use clipboard hijacking techniques and verification-themed ClickFix lures to trick users into executing malicious actions.

This suggests the operation is expanding beyond Windows environments and increasing in sophistication.

Defensive guidance

Security experts advise users to avoid executing commands from unknown sources and to only install browser updates through official application settings. Users are also warned not to trust pop-ups or prompts that instruct them to manually run system commands.