DriveSurge operates as an Initial Access Broker using a Pay-Per-Install model, compromising thousands of websites to inject malicious code that redirects visitors through zTDS. It delivers malware primarily via two methods: FakeUpdates that impersonate browser update prompts across multiple browsers, and ClickFix, which tricks users into running malicious PowerShell commands disguised as fixes. The actor uses bulletproof hosting, obfuscated JavaScript injection, and environment-specific targeting including macOS. The campaign has been active since at least September 2025 and exhibits identifiable technical fingerprints such as unique file naming and server configurations, facilitating detection and tracking of its evolving infrastructure.

The compromise of thousands of websites enables DriveSurge to redirect large volumes of web traffic to malware payloads, increasing the risk of infection for visitors. The use of FakeUpdate prompts and ClickFix PowerShell tricks can lead to execution of malicious code on victim systems, potentially resulting in system compromise. Targeting multiple browsers and macOS systems broadens the scope of affected users. As an Initial Access Broker, DriveSurge facilitates downstream attacks by supplying victim leads, amplifying the overall threat impact.

No specific patch or vendor advisory is available for this threat. Mitigation should focus on detection and blocking of the injected malicious code and traffic redirection patterns associated with DriveSurge, including monitoring for FakeUpdate and ClickFix indicators. Website owners should review and secure their sites to prevent compromise, including validating third-party code and hardening web infrastructure. Users should be cautious of unsolicited update prompts and avoid executing PowerShell commands from untrusted sources. Since this is a campaign leveraging compromised sites, remediation primarily involves site owners cleaning infections and users employing endpoint protections.