DriveSurge

DriveSurge is a globally active threat cluster identified by Silent Push as the primary driver behind a surge in ClickFix and FakeUpdates campaigns. The reporting assesses DriveSurge as a specialized Initial Access Broker (IAB) operating on a pay-per-install (PPI) model, supplying downstream threat actors with victim access and confirmed infection leads. DriveSurge compromises thousands of legitimate, often high-reputation, websites by injecting malicious external JavaScript and silently redirecting real visitors to attacker-controlled infrastructure, typically without the knowledge of site owners. The actor weaponizes the open-source zTDS traffic distribution system to profile visitors and determine which lure or payload chain to serve. Reported delivery methods include FakeUpdates pages that impersonate browser updates and ClickFix lures that trick victims into copying and executing malicious commands in PowerShell or Terminal. The campaign has targeted both Windows and macOS users. Observed FakeUpdates activity includes impersonation of updates for Chrome, Firefox, Edge, Safari, Opera, Brave, Yandex, Vivaldi, Samsung Internet, and UC Browser. In documented cases, victims were served a fake Firefox update that downloaded a ZIP archive containing multiple DLLs and a malicious executable named "Browser Update.exe." Observed ClickFix activity includes fake error or verification prompts, clipboard hijacking, and base64-encoded command sequences that execute malware when pasted. Researchers also observed a macOS infection chain that downloaded a secondary payload, executed it, and deleted temporary files. Silent Push reported eight technical fingerprints associated with DriveSurge infrastructure and operations, including JavaScript injection patterns such as t.js?site=<id>, SHA256-derived file naming conventions, zTDS-specific artifacts, and infrastructure patterns involving NiceNIC-registered .icu domains and shared WHOIS registration emails linked to tempmail.so. The reporting also identified more than 80 malicious injection domains, additional pre-weaponized domains, and related advertisement-distribution infrastructure. No aliases or sub-groups beyond DriveSurge were directly identified in the provided content.