Skip to main content

DriveSurge Hijacks Thousands of Sites for Malware Attacks

Server room interior with rows of rack-mounted servers, tangled cables, and subtle hints of disruption.
“Using zTDS, DriveSurge hijacks thousands of legitimate, high-reputation websites and silently redirects visitors to malware, unbeknownst to the sites’ owners or their visitors,” Silent Push says.

DriveSurge: an initial access broker running pay‑per‑install campaigns

Researchers at SilentPush report that the threat actor tracked as DriveSurge operates at scale as an initial access broker (IAB). The actor primarily functions on a pay‑per‑install (PPI) model, delivering initial access and enabling follow‑on attacks for downstream operators. DriveSurge’s campaigns redirect visitors of compromised sites into malware‑delivery infrastructure rather than directly hosting all payloads.

zTDS: an open‑source Traffic Distribution System at the center

Visitors to compromised sites are routed through a Traffic Distribution System known as zTDS, which profiles visitors and decides whether to present a FakeUpdates or a ClickFix lure. SilentPush notes zTDS is an open‑source TDS that has existed since at least 2015 and that DriveSurge has been using it since at least September 2025. The profiling step in zTDS is a core part of the campaign’s ability to tailor social‑engineering lures to the target.

ClickFix and FakeUpdates: the social‑engineering techniques employed

SilentPush’s analysis identifies two primary social‑engineering techniques in DriveSurge campaigns. ClickFix lures coax victims into copying and executing commands—often PowerShell commands—under the pretense of fixing a technical problem. FakeUpdates present fraudulent software update prompts, commonly impersonating browser updates, to trick users into downloading and installing malicious payloads.

The FakeUpdates lures observed by SilentPush impersonate a broad set of browsers: Chrome, Firefox, Edge, Safari, Opera, Brave, Yandex, Vivaldi, Samsung Internet, and UC Browser. In one highlighted case, a fake Firefox update caused a ZIP archive to be downloaded that contained multiple DLL files and a malicious executable named “Browser Update.exe.”

Technical fingerprints, injection patterns, and cross‑platform targeting

SilentPush identified eight technical fingerprints that linked infrastructure and compromised websites to the DriveSurge campaigns. One recurring indicator is a JavaScript injection following the pattern “t.js?site=<id>”, where the <id> is a unique value assigned to each compromised website. Through their analysis, the researchers found more than 80 malicious injection domains and also identified a set of pre‑weaponized domains that had not yet been used in active attacks.

Notably, the campaign is not limited to Windows. SilentPush discovered an obfuscated JavaScript payload specifically crafted to target macOS desktop systems; this code was delivered via verification‑themed ClickFix attacks that hijack the clipboard. That detail indicates DriveSurge’s tooling includes cross‑platform lures and payload delivery techniques.

What this means for site owners, security teams, and end users

  • Site owners and administrators should watch for the “t.js?site=<id>” injection pattern and the presence of unexpected JavaScript inclusion from third‑party domains; SilentPush’s discovery of more than 80 injection domains and pre‑weaponized domains gives concrete indicators to check.
  • Security teams and defenders should treat zTDS‑based redirects and the IAB/PPI business model as operational details to monitor: a Traffic Distribution System is being used to profile visitors and route them to platform‑appropriate lures, and the campaign’s eight technical fingerprints can help link activity across compromised properties.
  • End users are urged to download browser updates only from the application’s settings menu (About > Check for Updates) and to avoid executing commands in the Windows command prompt or Terminal that they do not fully understand—specific mitigations called out by SilentPush to blunt both FakeUpdates and ClickFix tactics.

SilentPush’s report paints a picture of a distributed, adaptable operation using an established open‑source TDS to weaponize otherwise legitimate, high‑reputation websites. The campaign’s fingerprints—JavaScript injection patterns, injection domains, and the evidence of macOS‑focused payloads—offer defenders concrete artifacts to hunt for. At the same time, the presence of pre‑weaponized domains and thousands of hijacked sites raises a clear question the facts in the report leave open: how many visitors have already been routed to malware, and how many compromised high‑reputation domains remain undetected?

Original story