A threat actor known as DriveSurge has been conducting large-scale malware distribution campaigns by compromising thousands of websites to deliver deceptive lures called ClickFix and FakeUpdates, according to cybersecurity researchers at SilentPush. The compromised sites redirect visitors to malicious infrastructure without the knowledge of site owners or users.

DriveSurge uses a Traffic Distribution System (TDS) called zTDS to profile website visitors and decide whether to deploy a FakeUpdates prompt or a ClickFix social engineering tactic. FakeUpdates lures present victims with fraudulent software update notices impersonating browsers such as Chrome, Firefox, Edge, Safari, Opera, Brave, Yandex, Vivaldi, Samsung Internet, and UC Browser. ClickFix attacks, meanwhile, trick users into copying and executing malicious PowerShell commands under the guise of resolving a technical issue. In one example detailed in the SilentPush report, a fake Firefox update prompted the download of a ZIP archive containing multiple DLL files and a malicious executable named ‘Browser Update.exe.’ The campaign also extends to macOS systems, with researchers discovering an obfuscated JavaScript payload delivered through verification-themed ClickFix attacks that hijack the clipboard.

“Using zTDS, DriveSurge hijacks thousands of legitimate, high-reputation websites and silently redirects visitors to malware, unbeknownst to the sites’ owners or their visitors,” SilentPush stated. The researchers identified eight technical fingerprints associated with the campaign, including a JavaScript injection following the pattern ‘t.js?site=,’ where is a unique identifier assigned to each compromised site.

SilentPush discovered more than 80 malicious injection domains actively used in the attacks, along with a set of pre-weaponized domains that had not yet been deployed. DriveSurge operates primarily as an initial access broker on a pay-per-install model, facilitating follow-on cyberattacks.

The findings are based on research conducted by SilentPush, a single cybersecurity firm. Users are advised to download browser updates exclusively through their application’s built-in menu—typically found under About > Check for Updates—and to avoid executing unfamiliar commands in the Windows Command Prompt or macOS Terminal.