DriveSurge Uses ClickFix and Fake Browser Updates to Broker Malware Access
Researchers identified DriveSurge as a large-scale threat actor operating as an apparent initial access broker, compromising legitimate websites and redirecting visitors into ClickFix and fake browser update infection chains. The operation uses the open-source zTDS traffic distribution system to profile victims, selectively route traffic, and deliver malware across Windows and macOS environments. Investigators linked the campaign to thousands of compromised sites, NiceNIC-registered domains, Russian-linked infrastructure patterns, multiple payload servers, and a command-and-control endpoint, indicating a mature pay-per-install ecosystem built to provide downstream actors with scalable victim access.
Silent Push said it developed eight infrastructure fingerprints spanning malicious JavaScript injections, server configurations, WHOIS pivots, and zTDS artifacts to map both active and pre-weaponized infrastructure. The campaign has reportedly been active since at least 2022, using obfuscation, failover delivery paths, ZIP-based fake updates, and terminal- or PowerShell-driven ClickFix lures to infect users across major browsers. Researchers urged defenders to hunt for unauthorized JavaScript on web properties, scrutinize third-party scripts from unknown domains, and harden internet-facing CMS platforms through patching and tighter access controls.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Nightmare Eclipse discloses Windows Defender LPE RedSun
A report described RedSun, tracked as CVE-2026-41091, as a local privilege escalation vulnerability in Microsoft Windows Defender's remediation workflow discovered by Nightmare Eclipse. The disclosure detailed how Cloud Files placeholders, NTFS junctions, Volume Shadow Copy detection, and oplocks could be combined to achieve arbitrary file writes into System32 and execute code as SYSTEM.
DriveSurge infrastructure active since at least 2022
Silent Push reported that the infrastructure associated with the newly named DriveSurge threat actor has been active since at least 2022. The operation uses compromised websites and the zTDS traffic distribution system to redirect visitors into FakeUpdates and ClickFix malware delivery chains.
Silent Push identifies and names the DriveSurge threat actor
Silent Push disclosed a large-scale malware delivery operation it named DriveSurge, describing it as a specialized initial access broker using a pay-per-install model. The report linked the actor to thousands of compromised websites, zTDS-based redirection, malicious domains, payload infrastructure, and macOS as well as Windows malware delivery.
Avast publishes analysis of Lazarus FudModule zero-day activity
Avast Decoded published research on Lazarus and the FudModule rootkit, describing advanced exploits that went beyond bring-your-own-vulnerable-driver techniques and included an admin-to-kernel zero-day. This marks a public technical disclosure of the activity and tooling discussed in the report.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
DriveSurge Threat Cluster: Traffic Distribution System Alert
securityonline.info
Open sourceDriveSurge actor uses ClickFix and FakeUpdates to distribute malware via compromised websites | brief | SC Media
scworld.com
Open sourceDriveSurge Hijacks Thousands of Sites for ClickFix, FakeUpdate Attacks
darkreading.com
Open sourceRedSun: Exploiting Windows Defender's Remediation Workflow for Local Privilege Escalation - Malware Analysis - Malware Analysis, News and Indicators
malware.news
Open sourceNew DriveSurge Threat Actor Uses ClickFix and Fake Updates to Infect Website Visitors
cybersecuritynews.com
Open sourceHackers hijack thousands of sites for ClickFix and FakeUpdate attacks
bleepingcomputer.com
Open sourceMeet DriveSurge: A New Threat Actor Using ClickFix and Fake Update Drive-By Attacks in Thousands of Compromised Sites - Silent Push
silentpush.com
Open sourceGen Blogs | Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day
decoded.avast.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ClickFix Social Engineering Drives Multi-Platform Malware Delivery
Security researchers reported multiple active campaigns using **ClickFix** social engineering—fake error dialogs or verification prompts that trick users into manually running attacker-supplied commands—to bypass browser and download protections and establish an initial foothold. In one enterprise case investigated by **CERT Polska (cert.pl)**, victims were lured via compromised websites showing a fake CAPTCHA/“fix” prompt that instructed them to paste and run a **PowerShell** command via `Win+R`; the script then downloaded a dropper and enabled rapid follow-on activity that can scale to **enterprise-wide compromise**, including deployment of secondary malware such as **Latrodectus** and **Supper** for data theft, lateral movement, and potential ransomware staging. A separate ClickFix operation targeted **macOS developers** by cloning the *Homebrew* site on typosquatted infrastructure; the “install” command was subtly altered to fetch content from `raw.homabrews.org` instead of `raw.githubusercontent.com`, leading to **Cuckoo Stealer** deployment and credential harvesting via repeated password prompts using macOS Directory Services, with related domains tied to shared hosting at **`5.255.123.244`**. ClickFix was also observed as the initial execution mechanism for the resurfaced **Matanbuchus 3.0** MaaS loader, which uses deceptive copy/paste prompts and **silent MSI** execution (via `msiexec`) to deliver a new payload, **AstarionRAT**, enabling capabilities including credential theft and **SOCKS5** proxying; operators were reported to move laterally quickly (including toward domain controllers), consistent with ransomware or data-exfiltration objectives.
Mar 21, 2026
ClickFix Social-Engineering Lures Deliver Multi-Stage Windows Malware via Browser Extensions and Compromised WordPress Sites
Threat researchers reported continued evolution and operationalization of **ClickFix**-style social engineering, where victims are tricked into manually executing attacker-supplied commands via the Windows Run dialog. Huntress described a new variant dubbed **CrashFix**, attributed to **KongTuke**, which uses a **malicious browser extension** to display a fake “browser stopped abnormally” security warning and a bogus “scan” flow; the extension silently places a **PowerShell** command on the clipboard, disguised as a legitimate repair action, and instructs the user to paste-and-run it, leading to code execution. Rapid7 Labs separately documented a large-scale campaign in which an unidentified actor compromises legitimate **WordPress** sites to inject a ClickFix implant that impersonates a **Cloudflare human verification (CAPTCHA)** challenge. The operation has affected **250+** infected sites across **12+ countries** and delivers a **multi-stage, mostly in-memory** malware chain (obfuscated JavaScript → PowerShell stagers → in-memory loaders/shellcode) aimed at stealing **credentials and digital wallets** from Windows systems, enabling downstream financial theft and potential follow-on intrusion using harvested credentials.
Mar 21, 2026
ClickFix Social Engineering Campaigns Expand Malware and Ransomware Delivery
Researchers reported continued expansion of **ClickFix** as an initial-access technique, with attackers using fake CAPTCHA or verification pages to trick users into executing clipboard-delivered commands on Windows systems. In one campaign, **LeakNet** shifted away from relying on initial access brokers and instead used compromised legitimate websites hosting fake Cloudflare Turnstile checks to broaden victim acquisition and reduce network-based detection. ReliaQuest linked the activity to LeakNet through overlapping infrastructure and consistent TTPs, and noted the group paired ClickFix with a stealthy, memory-resident loader built on the **Deno** JavaScript runtime to support ransomware operations. A separate ClickFix campaign analyzed by Atos used the same user-executed command pattern to map attacker-controlled network drives with `net use`, then download a trojanized but legitimately signed *WorkFlowy* application whose modified `asar` archive executed malicious code in the **Node.js** main process with the logged-in user’s privileges. Other reporting on **Hive0163** also identified ClickFix as one of several initial-access methods used in **Interlock** ransomware intrusions, although that article focused primarily on the group’s likely AI-generated **Slopoly** malware rather than a specific ClickFix incident. Reporting on **Operation Covert Access** in Argentina’s judicial sector was unrelated, describing spear-phishing with fake court documents to deliver **COVERT RAT** via a different intrusion chain.
Mar 22, 2026