A New Threat Actor Using ClickFix and Fake Update Drive-By Attacks in Thousands of Compromised Sites
Essential information
- Published
- 30/05/2026 08:07
- Modified
- 02/06/2026 09:30
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- bulletproof hosting clickfix drive-by attacks drivesurge fakeupdates initial access broker macos targeting ztds browser impersonation
- Tags
- 2026-05-30 2026-06-01 browser impersonation bulletproof hosting clickfix drive-by attacks drivesurge fakeupdates initial access broker macos targeting ztds
- Related entities
- 32 indicators, 32 observables, 1 intrusion sets (apt), 19 techniques (mitre), 20 others
Description
DriveSurge is a newly identified threat actor operating as an Initial Access Broker using a Pay-Per-Install model to supply victim leads to downstream actors. The actor has compromised thousands of websites, injecting malicious code that redirects visitors through zTDS (Traffic Distribution System) to deliver malware via two primary methods: FakeUpdates, which impersonate browser update prompts for Chrome, Firefox, Edge, Safari, and eight other browsers; and ClickFix, which tricks users into executing malicious PowerShell commands disguised as fixes. DriveSurge leverages sophisticated infrastructure including bulletproof hosting, obfuscated JavaScript injection patterns, and environment-specific targeting including macOS systems. The operation has been active since at least September 2025, utilizing specific technical fingerprints including unique file naming conventions and server configurations that enable detection and tracking of their evolving infrastructure.