Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: initial-access-broker (3 articles)Clear

DriveSurge initial-access broker hijacks thousands of sites for ClickFix and FakeUpdates, routes victims through zTDS pay-per-install network

SilentPush has detailed DriveSurge, a threat actor running large-scale malware-distribution campaigns by compromising thousands of websites and using ClickFix and FakeUpdates social engineering. ClickFix tricks visitors into copying and running malicious commands under the pretense of fixing a technical issue; FakeUpdates uses fraudulent browser-update prompts. DriveSurge operates primarily as an initial-access broker on a pay-per-install model, enabling follow-on attacks by other criminals. Compromised-site visitors are routed through a Traffic Distribution System called zTDS that profiles them before redirecting to malware-delivery infrastructure. The model lets DriveSurge monetize hijacked traffic at scale while downstream actors deploy infostealers, loaders, or ransomware. The campaign overlaps with the broader ClickFix surge across the ecosystem.

Check
Hunt web properties for unauthorized injected redirect scripts and zTDS-related indicators. Train staff that browser-update prompts and 'paste this command to fix' pages are ClickFix/FakeUpdates lures.
Affected
Visitors to thousands of compromised websites redirected through DriveSurge's zTDS. Any organization whose users browse compromised sites can receive infostealers, loaders, or ransomware via pay-per-install.
Fix
Apply SilentPush IoCs and block known zTDS infrastructure. Deploy script-integrity monitoring on your own sites. Disable clipboard-to-terminal workflows; train users never to run commands a webpage supplies.

Initial access broker KongTuke pivots from web lures to Microsoft Teams - impersonates IT help desk, drops ModeloRAT in five minutes

ReliaQuest researchers say initial access broker KongTuke has shifted from web-based ClickFix and FileFix lures to Microsoft Teams social engineering, taking as little as five minutes to gain persistent access. The attacker reaches employees from one of five rotating Microsoft 365 tenants, uses Unicode whitespace tricks to make the display name look like internal IT help desk, then talks the victim through pasting a PowerShell command. That command downloads a ZIP from Dropbox containing a portable WinPython runtime and a Python-based RAT called ModeloRAT. The new ModeloRAT variant adds a five-server C2 pool with automatic failover, self-update, and randomized URL paths, and several major EDR products did not detect it.

Check
Search Microsoft 365 audit logs for inbound external Teams chats from new or low-trust tenants, hunt endpoint telemetry for pythonw.exe running from %APPDATA%\WPy64-31401 (or similar WinPython paths), and review PowerShell logs for clipboard-paste-driven commands.
Affected
Any enterprise that accepts inbound Microsoft Teams chats and calls from external tenants, especially help-desk-themed approaches. Initial access broker activity is typically resold to ransomware operators within days of compromise.
Fix
Restrict external Teams chat to allowlisted partners, enforce verified caller display in Teams admin, train staff that real IT never asks for a PowerShell paste, and add EDR rules for portable Python interpreters spawning from %APPDATA%.

Phishing campaign hit 80+ companies by getting employees to install legitimate remote-access software disguised as a Social Security letter

Securonix tracked a phishing campaign called VENOMOUS#HELPER that has hit 80+ organizations (mostly in the US) since April 2025 by getting employees to install legitimate remote-monitoring software they think is a Social Security Administration document. The lure is a fake SSA email asking the recipient to download their statement; the link points to a compromised Mexican business website hosting a SimpleHelp installer. Once installed, the attackers gain SYSTEM-level access, then quietly install ConnectWise ScreenConnect as a backup channel. The pattern aligns with initial-access broker activity: quiet persistence, then sale or hand-off to ransomware operators.

Check
Hunt every Windows endpoint for SimpleHelp and ConnectWise ScreenConnect installs not authorized by IT. Search proxy logs for connections to gruta.com.mx since April 2025.
Affected
Windows endpoints in organizations without strict application allowlisting. 80+ confirmed victims, mostly US, across multiple sectors. Acute risk: companies whose staff regularly receive government correspondence (SSA, IRS, state tax) where 'verify and download' lures feel routine. Initial access brokers run these campaigns to sell footholds, so any compromised host becomes a potential ransomware launchpad weeks later.
Fix
Enforce application allowlisting on Windows endpoints to block unapproved RMM software. Remove unauthorized SimpleHelp, ScreenConnect, PDQ Connect, LogMeIn Resolve, N-able, or Fleetdeck installs and treat the host as compromised. Block Securonix's published indicators (gruta.com.mx, server.cubatiendaalimentos.com.mx) at the network egress layer. Rotate credentials on affected hosts.