Hackers hijack 1000’s of web sites for ClickFix and FakeUpdate assaults

A risk actor tracked as DriveSurge has been working large-scale malware distribution campaigns the use of ClickFix and FakeUpdates ways on compromised websites.

Hundreds of web pages had been compromised in DriveSurge campaigns to redirect guests to malware-delivery infrastructure, in line with researchers at cybersecurity corporate SilentPush.

ClickFix is a well-liked social engineering tactic that deceives sufferers into copying and executing malicious instructions on their techniques, frequently leading to malware infections below the pretense of resolving a technical factor.

In FakeUpdates assaults, risk actors lure sufferers with fraudulent instrument replace activates, normally impersonating browser updates, to trick them into downloading and putting in malicious payloads.

In step with Silent Push researchers, the DriveSurge risk actor essentially purposes as an preliminary get right of entry to dealer (IAB) working on a pay-per-install (PPI) fashion, enabling follow-on assaults.

Guests of compromised web pages are redirected thru a Site visitors Distribution Gadget (TDS) referred to as zTDS, which profiles them and determines whether or not a FakeUpdates or a ClickFix entice is extra suitable.

zTDS is an open-source TDS that has existed since no less than 2015 and that DriveSurge has been the use of since no less than September 2025.

“The use of zTDS, DriveSurge hijacks 1000’s of reliable, high-reputation web pages and silently redirects guests to malware, unbeknownst to the websites’ house owners or their guests,” Silent Push says.

The FakeUpdates lures comprise bogus replace notices for Chrome, Firefox, Edge, Safari, Opera, Courageous, Yandex, Vivaldi, Samsung Web, and UC Browser, whilst the ClickFix assaults contain PowerShell instructions.

A case highlighted within the Silent Push document comes to a faux Firefox replace that downloaded a ZIP archive containing more than one DLLs and a malicious executable named ‘Browser Replace.exe.’

The researchers known 8 technical fingerprints related to the marketing campaign that helped establish DriveSurge infrastructure and compromised web pages.

Amongst them is a JavaScript injection following the ‘t.js?website=’ development, the place < identification> is a novel price assigned to every compromised web page.

Thru research, Silent Push found out greater than 80 malicious injection domain names and a suite of pre-weaponized domain names that had now not but been utilized in assaults.

Moreover, the researchers found out an obfuscated JavaScript payload particularly designed to focus on macOS desktop techniques, delivered by means of verification-themed ClickFix assaults that hijack the clipboard, indicating that the marketing campaign extends past Home windows.

Customers are advisable to obtain browser updates handiest from their app’s settings menu (About > Test for Updates) and to steer clear of executing instructions within the Home windows command recommended or Terminal that they don’t absolutely perceive.