Hackers Compromise Thousands of Websites in ClickFix and FakeUpdate Malware Campaigns

A threat actor tracked as DriveSurge has been linked to large-scale malware distribution campaigns that use compromised websites to deliver ClickFix and FakeUpdate attacks.

According to cybersecurity researchers at Silent Push, thousands of legitimate websites have been hijacked and used to redirect visitors to attacker-controlled malware delivery infrastructure. The campaigns rely on social engineering tactics designed to trick users into either executing malicious commands or installing fake browser updates.

ClickFix attacks typically present victims with a fake technical issue or verification prompt, then instruct them to copy and run a command on their system. These commands often execute through tools such as PowerShell or Terminal and can lead to malware installation.

FakeUpdate attacks use fraudulent software update pages, commonly impersonating popular web browsers, to convince users to download and run malicious payloads. In the DriveSurge campaigns, fake update lures have impersonated Chrome, Firefox, Edge, Safari, Opera, Brave, Yandex, Vivaldi, Samsung Internet, and UC Browser.

Silent Push researchers assess that DriveSurge primarily operates as an initial access broker using a pay-per-install model. This means the group’s role is likely to infect systems at scale and provide access or installs to other threat actors for follow-on attacks.

The campaigns route visitors through a Traffic Distribution System known as zTDS. This system profiles incoming users and determines which lure to display, such as a FakeUpdate page or a ClickFix prompt. Silent Push says DriveSurge has used zTDS since at least September 2025, while zTDS itself has been available as an open-source traffic distribution system since at least 2015.

Researchers identified several technical indicators tied to the campaign, including a JavaScript injection pattern using t.js?site=<id>, where each compromised website is assigned a unique identifier. Silent Push also uncovered more than 80 malicious injection domains, along with additional pre-weaponized domains that appeared prepared for future use.

One case described by researchers involved a fake Firefox update that delivered a ZIP archive containing multiple DLL files and a malicious executable named Browser Update.exe.

The campaign also appears to target macOS users. Silent Push identified an obfuscated JavaScript payload designed for macOS desktop systems, delivered through verification-themed ClickFix pages that attempt to hijack the clipboard and guide victims into executing malicious commands.

The activity highlights the continued effectiveness of compromised legitimate websites as malware distribution channels. Because victims are redirected from otherwise trusted sites, these attacks can appear more credible and may bypass a user’s normal suspicion of unfamiliar domains.

Users should install browser updates only through the browser’s built-in update menu or the official vendor website. They should also avoid copying and running commands in Windows Command Prompt, PowerShell, macOS Terminal, or Linux shells unless they fully understand what the command does and trust the source providing it.