DriveSurge is a threat actor conducting widespread malware distribution by compromising thousands of high-reputation websites. Using the open-source Traffic Distribution System zTDS, visitors are profiled and redirected to either ClickFix or FakeUpdates social engineering attacks. ClickFix tricks victims into running malicious PowerShell commands, while FakeUpdates present fraudulent browser update prompts to deliver malware payloads. The campaign targets multiple browsers (Chrome, Firefox, Edge, Safari, Opera, Brave, Yandex, Vivaldi, Samsung Internet, UC Browser) and platforms, including macOS via clipboard hijacking. DriveSurge functions as an initial access broker operating on a pay-per-install basis, enabling follow-on attacks. Researchers identified multiple technical fingerprints and injection domains linked to this campaign.

The campaign results in malware infections on victim systems through social engineering, potentially leading to further compromise facilitated by DriveSurge's pay-per-install model. Legitimate websites are hijacked without owners' knowledge, exposing their visitors to malicious redirects and payloads. The threat affects multiple browsers and operating systems, increasing its reach. There is no indication of direct exploitation of software vulnerabilities; the attack relies on deception and compromised infrastructure.

No official patch or vendor advisory is available for this threat. Users should only download browser updates through the official application settings menu (About > Check for Updates) and avoid executing commands in command prompts or terminals unless fully understood. Website owners should investigate and remediate unauthorized JavaScript injections, specifically those matching the 't.js?site=<id>' pattern, and monitor for signs of compromise. Since this is a malware distribution campaign leveraging compromised sites, remediation involves cleaning affected websites and improving security to prevent reinfection.