Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: drivesurge (1 article)Clear

DriveSurge initial-access broker hijacks thousands of sites for ClickFix and FakeUpdates, routes victims through zTDS pay-per-install network

SilentPush has detailed DriveSurge, a threat actor running large-scale malware-distribution campaigns by compromising thousands of websites and using ClickFix and FakeUpdates social engineering. ClickFix tricks visitors into copying and running malicious commands under the pretense of fixing a technical issue; FakeUpdates uses fraudulent browser-update prompts. DriveSurge operates primarily as an initial-access broker on a pay-per-install model, enabling follow-on attacks by other criminals. Compromised-site visitors are routed through a Traffic Distribution System called zTDS that profiles them before redirecting to malware-delivery infrastructure. The model lets DriveSurge monetize hijacked traffic at scale while downstream actors deploy infostealers, loaders, or ransomware. The campaign overlaps with the broader ClickFix surge across the ecosystem.

Check
Hunt web properties for unauthorized injected redirect scripts and zTDS-related indicators. Train staff that browser-update prompts and 'paste this command to fix' pages are ClickFix/FakeUpdates lures.
Affected
Visitors to thousands of compromised websites redirected through DriveSurge's zTDS. Any organization whose users browse compromised sites can receive infostealers, loaders, or ransomware via pay-per-install.
Fix
Apply SilentPush IoCs and block known zTDS infrastructure. Deploy script-integrity monitoring on your own sites. Disable clipboard-to-terminal workflows; train users never to run commands a webpage supplies.