Hackers hijack thousands of sites for ClickFix and FakeUpdate attacks
DriveSurge threat actor hijacks thousands of websites for ClickFix and FakeUpdate malware distribution.
Summary
A threat actor tracked as DriveSurge has compromised thousands of legitimate websites to redirect visitors to malware-delivery infrastructure using ClickFix and FakeUpdate social engineering tactics. The group operates as an initial access broker on a pay-per-install model, using the open-source zTDS traffic distribution system to profile visitors and serve appropriate malware lures targeting multiple browsers on Windows and macOS platforms. Researchers at SilentPush identified over 80 malicious injection domains and eight technical fingerprints linked to the campaign dating back to at least September 2025.
Full text
Hackers hijack thousands of sites for ClickFix and FakeUpdate attacks By Bill Toulas June 1, 2026 06:14 PM 0 A threat actor tracked as DriveSurge has been operating large-scale malware distribution campaigns using ClickFix and FakeUpdates techniques on compromised sites. Thousands of websites have been compromised in DriveSurge campaigns to redirect visitors to malware-delivery infrastructure, according to researchers at cybersecurity company SilentPush. ClickFix is a popular social engineering tactic that deceives victims into copying and executing malicious commands on their systems, often resulting in malware infections under the pretense of resolving a technical issue. In FakeUpdates attacks, threat actors entice victims with fraudulent software update prompts, usually impersonating browser updates, to trick them into downloading and installing malicious payloads. According to Silent Push researchers, the DriveSurge threat actor primarily functions as an initial access broker (IAB) operating on a pay-per-install (PPI) model, enabling follow-on attacks. Visitors of compromised websites are redirected through a Traffic Distribution System (TDS) known as zTDS, which profiles them and determines whether a FakeUpdates or a ClickFix lure is more appropriate. ClickFix example from the campaignSource: Silent Push zTDS is an open-source TDS that has existed since at least 2015 and that DriveSurge has been using since at least September 2025. “Using zTDS, DriveSurge hijacks thousands of legitimate, high-reputation websites and silently redirects visitors to malware, unbeknownst to the sites’ owners or their visitors,” Silent Push says. The FakeUpdates lures contain bogus update notices for Chrome, Firefox, Edge, Safari, Opera, Brave, Yandex, Vivaldi, Samsung Internet, and UC Browser, while the ClickFix attacks involve PowerShell commands. A case highlighted in the Silent Push report involves a fake Firefox update that downloaded a ZIP archive containing multiple DLLs and a malicious executable named ‘Browser Update.exe.’ A fake update for FirefoxSource: Silent Push The researchers identified eight technical fingerprints linked to the campaign that helped identify DriveSurge infrastructure and compromised websites. Among them is a JavaScript injection following the ‘t.js?site=<id>’ pattern, where < id> is a unique value assigned to each compromised website. Through analysis, Silent Push discovered more than 80 malicious injection domains and a set of pre-weaponized domains that had not yet been used in attacks. Additionally, the researchers discovered an obfuscated JavaScript payload specifically designed to target macOS desktop systems, delivered via verification-themed ClickFix attacks that hijack the clipboard, indicating that the campaign extends beyond Windows. Users are recommended to download browser updates only from their app’s settings menu (About > Check for Updates) and to avoid executing commands in the Windows command prompt or Terminal that they don’t fully understand. The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate. Download Now Related Articles: Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaignKongTuke hackers now use Microsoft Teams for corporate breachesFBI warns of in-person data theft attacks from extortion gangHackers bypass SonicWall VPN MFA due to incomplete patchingMicrosoft Self-Service Password Reset abused in Azure data theft attacks
Indicators of Compromise
- malware — Browser Update.exe
- mitre_attack — T1566.002 (Phishing: Spearphishing Link)
- mitre_attack — T1598.003 (Phishing for Information: Spearphishing Link)