Hackers hijack thousands of sites for ClickFix and FakeUpdate attacks

Hackers Hijack Thousands of Sites for ClickFix and FakeUpdate Attacks

OverviewA threat actor identified as DriveSurge has been orchestrating large-scale malware distribution campaigns by exploiting compromised websites with two deception techniques: ClickFix and FakeUpdates. Researchers at SilentPush have tracked thousands of sites that have been redirected to malicious infrastructure as part of these campaigns. ClickFix relies on social engineering to coax victims into executing harmful commands, while FakeUpdates push fraudulent software update prompts designed to install payloads. The activities are carried out through a combination of compromised sites, a traffic routing layer, and a dark economy model that positions DriveSurge as an initial access broker.

What ClickFix Is

• ClickFix is a social engineering approach that tricks visitors into copying and executing commands believed to fix an issue on their device, but which actually installs or arms malware.
• In many cases, the tactic leverages trusted domains and legitimate browser functionality to persuade users to take unsafe actions.
• The end result is malware infections that often establish persistence and open channels for follow-on activity.

What FakeUpdates Is

• FakeUpdates uses convincing prompts that imitate legitimate software or browser updates to entice users into downloading and running malicious payloads.
• The lures span a wide range of browsers and platforms, with prompts that mimic Chrome, Firefox, Edge, Safari, Opera, Brave, Yandex, Vivaldi, Samsung Internet, UC Browser, and others.
• The objective is to install remote-controlled or pre-configured malware on the user’s device, bypassing normal security expectations through a familiar update narrative.

Campaign Infrastructure and Operation

• DriveSurge appears to function as an initial access broker (IAB), operating on a pay-per-install (PPI) model. The model enables attackers to monetize footholds by selling or leasing compromised access to follow-on operators.
• A Traffic Distribution System (TDS) named zTDS is used to route visitors after they land on compromised sites. zTDS profiles visitors and decides whether a ClickFix or FakeUpdates lure should be shown.
• zTDS is an open-source platform with origins dating back to 2015 and has been utilized by DriveSurge since at least September 2025.
• According to SilentPush, the use of zTDS allows DriveSurge to hijack thousands of legitimate, high-reputation websites and silently redirect visitors to malware infrastructure, often without owners or visitors realizing anything unusual.

A Case Highlight: Firefox Update Artifact

• One notable instance described by SilentPush involved a fake Firefox update that downloaded a ZIP archive containing multiple DLLs and a malicious executable named “Browser Update.exe.”
• This example illustrates how a seemingly legitimate browser update prompt can deliver a multi-component malware package, including components designed to evade detection and establish execution on target devices.

Technical Fingerprints and Network Footprint

• Researchers have identified eight technical fingerprints tied to the DriveSurge campaigns that help distinguish DriveSurge infrastructure from other operations.
• A recurring JavaScript injection pattern appears as t.js?site=, where is a unique identifier assigned to each compromised site. This injection serves as a beacon and control point for the malicious payloads.
• SilentPush cataloged more than 80 malicious injection domains and a set of pre-weaponized domains that had not yet been used in attacks, signaling a broad and evolving attack surface.
• An obfuscated JavaScript payload was discovered, explicitly designed to target macOS desktop systems. This payload is delivered via verification-themed ClickFix techniques that hijack the clipboard, indicating that the campaign extends beyond Windows and spans multiple operating systems.

Cross-Platform Reach and Targeting

• While Windows-based infections remain a core component, macOS targets have been detected through specialized ClickFix payloads that interact with system clipboard functionality.
• The combination of ClickFix and FakeUpdates across multiple platforms suggests DriveSurge intends to maximize reach by exploiting common user behaviors across ecosystems.
• The use of an open-source TDS (zTDS) enables flexible, scalable redirection and tailoring of lures based on site reputation, user agent, geography, and other signals.

Indicators and What Emerges from the Campaign

• The campaign presents a layered attack surface: compromised sites, a redirect layer (zTDS), lure selection (FakeUpdates vs. ClickFix), and payload delivery (DLLs, executables, and cross-platform components).
• The presence of a t.js?site= injection pattern provides a concrete signature that researchers can monitor to identify compromised sites and the scope of the infection.
• The breadth of fake update prompts and cross-platform payloads indicate a campaign designed to ride the edge between user skepticism and curiosity, leveraging the trust users place in familiar update processes.

What This Means for the Web Ecosystem

• DriveSurge’s approach shows how compromised sites can be weaponized as launchpads for broad distribution networks, turning legitimate domains into hidden conduits for malware delivery.
• The open-source nature of zTDS lowers barriers to entry for attackers, enabling rapid deployment and customization of redirection strategies across a wide inventory of sites.
• The dual-use tactic of ClickFix and FakeUpdates demonstrates the importance of monitoring both social engineering vectors and software-update paradigms as part of a layered defense.

Technical Landscape and Threat Model

• Initial Access Model: DriveSurge operates as an IAB with a PPI model, selling or distributing access to remote environments for subsequent infection campaigns.
• Distribution Hygiene: Compromised sites are silently redirected to controlled infrastructure, reducing the likelihood of immediate owner detection and allowing campaigns to run for extended periods.
• Lure Diversification: The use of multiple lure types (ClickFix and FakeUpdates) increases the chance of user engagement and payload execution across different user cohorts and OS environments.
• Cross-OS Capabilities: MacOS-targeted components delivered through ClickFix workflows indicate a broader threat posture beyond Windows-centric attacks.

Operational Observations and Takeaways

• The combination of a legitimate-looking update prompt with a high-visibility distribution network creates a plausible illusion of credibility, lowering user resistance to executing malicious actions.
• The reliance on an openly available TDS highlights how tooling that is accessible to defenders can be repurposed by attackers to coordinate complex campaigns at scale.
• The multi-stage nature of the attacks (compromise, redirection, lure selection, payload delivery) emphasizes the need for vigilant monitoring at multiple layers, from website integrity to browser and OS behavior.

Cross-Platform Implications

• The macOS-oriented payloads suggest attackers are not constrained by a single operating system and are pursuing diversified footholds.
• Clipboard hijacking in macOS workflows reveals a nuanced persistence and data-exfiltration potential that may escape more cursory security checks.

Closing Thoughts

• The DriveSurge campaigns illustrate how a compact set of techniques—a reliable redirection framework, dual-lure strategies, and modular payloads—can enable widespread malware distribution through legitimate-looking websites.
• The ongoing evolution of zTDS and related infrastructure means defenders must consider not only the content of compromised pages but also the governance and provenance of traffic routing tools in play.
• As this landscape develops, continued analysis of unique fingerprints, domain ecosystems, and cross-platform payloads will be essential for understanding the full reach and impact of these campaigns.