The DriveSurge threat actor compromises legitimate websites to redirect visitors through a traffic distribution system (zTDS) that serves either FakeUpdates (fake software update prompts) or ClickFix (tricks to execute malicious commands) lures targeting Windows and macOS systems. This campaign operates as a pay-per-install initial access broker service, leveraging specific JavaScript injection patterns across thousands of sites. No specific CVSS score, affected software versions, fixed versions, or direct workarounds are provided in the article; the primary mitigation involves awareness of these social engineering lures on compromised websites.
Malware DriveSurge actor uses ClickFix and FakeUpdates to distribute malware via compromised websites June 2, 2026 Share By SC Staff (Adobe Stock) Bleeping Computer reports that a threat actor known as DriveSurge has been orchestrating extensive malware distribution campaigns by compromising numerous websites and employing ClickFix and FakeUpdates techniques to redirect visitors to malicious infrastructure. The DriveSurge threat actor operates as an initial access broker, utilizing a pay-per-install model to facilitate subsequent attacks, according to research by SilentPush. Visitors to compromised sites are funneled through a traffic distribution system called zTDS, which determines the most effective lure: FakeUpdates, which mimics software update prompts, or ClickFix, which tricks users into executing malicious commands. These lures target both Windows and macOS systems. FakeUpdates impersonates updates for various browsers, while ClickFix attacks involve PowerShell commands or clipboard hijacking for macOS. Silent Push researchers identified eight technical fingerprints associated with DriveSurge, including a specific JavaScript injection pattern, and discovered over 80 malicious injection domains. The campaign's reach is significant, impacting thousands of legitimate websites without the owners' knowledge. Source: Bleeping Computer SC Staff Related Malware Malware hides in Steam comments to infect WordPress sites SC Staff June 1, 2026 The malware campaign, discovered in July 2025, has affected approximately 1,980 WordPress sites. Ransomware ‘Claude Code install’ search result leads to ClickFix infostealer attack Laura French May 29, 2026 The attack leverages a polyglot file, heavy obfuscation and fileless execution to evade detection. Malware BTMOB Android RAT poses significant threat with easy-to-use builder SC Staff May 27, 2026 First identified in February 2025, BTMOB evolved from the SpySolr malware. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Adware You can skip this ad in 5 seconds