DriveSurge Threat Actor Infects Visitors with ClickFix
Recent analysis indicates that DriveSurge operates as a specialized Initial Access Broker (IAB). This group employs a Pay-Per-Install (PPI) model, receiving payment for each successful infection of a...
Recent analysis indicates that DriveSurge operates as a specialized Initial Access Broker (IAB). This group employs a Pay-Per-Install (PPI) model, receiving payment for each successful infection of a victim device. Confirmed infection leads are then sold to other threat actors operating downstream.
Researchers uncovered eight distinct technical fingerprints that map out DriveSurge’s malicious infrastructure, from how scripts are injected into victim sites to the registration patterns used for its domains.
This level of operational detail points to a threat actor that has invested serious time into building a repeatable, scalable infection system. The group has compromised thousands of websites that redirect visitors to malware, all without site owners ever knowing.
The campaign targets a wide range of browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge, Safari, Opera, Brave, Yandex, Vivaldi, Samsung Internet, and UC Browser.
Victims encounter either a fake browser update page or a ClickFix prompt, both designed to look completely routine and trustworthy. That familiarity is exactly what makes both methods so effective against everyday users.
New DriveSurge Threat Actor Uses ClickFix and Fake Updates
DriveSurge deploys two main methods to trick users into installing malware on their own devices. In the Fake Update scenario, a compromised site displays a convincing browser update prompt that impersonates a well-known browser.
Clicking the update button triggers the download of a ZIP file containing multiple DLL files and a “Browser Update.exe” file that is actually malware.
The ClickFix method works differently. A fake error message instructs the victim to copy and paste a command into their terminal or PowerShell window, which then silently installs malware.
In one confirmed instance, the ClickFix prompt tried to pull malicious code from an IP address already flagged in active threat intelligence feeds. Both methods exploit the trust people naturally place in familiar websites and routine-looking browser prompts.
The underlying zTDS infrastructure uses obfuscation techniques, including Base64 encoding and string manipulation, to hide malicious redirect code inside normal-looking page elements.
A failover mechanism cycles through multiple backup servers to ensure the payload reaches the victim even if one delivery domain goes down. Researchers confirmed the TDS has been in active use since at least 2022.
MacOS Targeting and a Cross-Platform Victim Strategy
Analysis of obfuscated JavaScript files tied to DriveSurge revealed the attack chain does not only target Windows machines. One analyzed payload delivered macOS malware, showing that DriveSurge is actively building a cross-platform victim pool.
The payload used a multi-stage shell command that downloaded a secondary file, executed it, and then deleted itself immediately to reduce forensic traces.
Researchers also discovered a separate Advertisement Distribution System linked to the campaign. This system collects device metadata and uses behavioral signals like mouse movements, scrolls, and clicks to confirm human presence before delivering content.
Organizations are advised to monitor for unusual external JavaScript injections, audit third-party scripts loading from unrecognized domains, and ensure web-facing content management systems remain fully patched and access-controlled.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | beacontrace[.]bond | Malicious zTDS inject domain serving t.js script |
| Domain | jclforwarding[.]com | Compromised site used to serve Fake Update / ClickFix content |
| Domain | check[.]first-node[.]rocks | Malicious domain serving fake Mozilla Firefox update page |
| Domain | cptoptious[.]com | zTDS delivery domain used in obfuscated payload |
| Domain | newtdsone[.]shop | zTDS delivery domain used in obfuscated payload |
| Domain | captioto[.]com | zTDS delivery domain used in obfuscated payload |
| Domain | banerpanel[.]live | Advertisement Distribution System (ADS) panel domain |
| Domain | testio[.]ecartdev[.]com | Payload and development server identified in analysis |
| Domain | ycyfugihih[.]cfd | Domain linked to DriveSurge registration email pivot |
| Domain | brightson[.]icu | Pre-weaponized DriveSurge infrastructure domain |
| Domain | coverlink[.]icu | Pre-weaponized DriveSurge infrastructure domain |
| Domain | datumprobe[.]icu | Pre-weaponized DriveSurge infrastructure domain |
| Domain | webgleam[.]info | Domain identified via Fingerprint 3 infrastructure pattern |
| Domain | cptoptions[.]com | Suspicious domain loaded into jclforwarding[.]com |
| Domain | banerpanel[.]live | ADS domain serving casino slot machine advertisement |
| thiagorivera197151[@]ycyfugihih[.]cfd | DriveSurge domain registration email (Fingerprint 6 pivot) | |
| samuel_jordan16[@]flixtrend[.]net | Second DriveSurge domain registration email (Fingerprint 7 pivot) | |
| IP Address | 46[.]226[.]166[.]57 | C2 server hosting macOS payload; URL: hxxp://46[.]226[.]166[.]57/ce3cbfc887?force=1 |
| File Hash (SHA256) | 90aecb370dfb1a99a1f7de0a9c6842ab1b664521fddea16b0ec9a91f322646fc | ZIP file downloaded via fake Mozilla Firefox update page |
| File Hash (SHA256) | 7aa15de93cf85729ddf970e8d7897f69ece3ca29608f73e784a9ba40c9cea18d | macOS payload binary retrieved from C2 server |
| File Hash (SHA256) | 29ac78c51bcdfe68c64830bdeb6e41437dd55e2691149741c9b78be03b6c82ea | Malicious server body SHA256 (Fingerprint 4) |
| File Hash (SHA256) | a84b032b49773c2318b11b1164d1aada69e940229aedbf8185c33fc7dd1d2cdf | Malicious server body SHA256 (Fingerprint 4 alternate) |
| File Hash (SHA256) | 428bd0b0ac36dfdd223b3953dbe61c0baf227f893310b03e7afe3111462019c6 | Data hash linked to jclforwarding[.]com web resources |
| File Name | t.js | Malicious injected JavaScript file (Fingerprint 1 pattern) |
| File Name | Browser Update.exe | Fake browser update executable dropped via ZIP file |
| File Name | script.js | Injected JavaScript file served by check[.]first-node[.]rocks |
| File Name | banner-js[.]php | Script loaded into compromised sites via banerpanel[.]live |
| File Name | changelog.txt | Publicly accessible file on zTDS server confirming TDS version history |
| URL | hxxps[://]newtdsone[.]shop/jsrepo?rnd= | zTDS payload fetch URL embedded in obfuscated JavaScript |
| URL | hxxps[://]cptoptious[.]com/jsrepo?rnd= | zTDS payload fetch URL embedded in obfuscated JavaScript |
| URL | hxxps[://]captioto[.]com/jsrepo?rnd= | zTDS payload fetch URL embedded in obfuscated JavaScript |
| URL | hxxp://46[.]226[.]166[.]57/ce3cbfc887?force=1 | C2 URL delivering macOS malware payload |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.