HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

DriveSurge Hijacks Thousands of Websites for ClickFix and FakeUpdate Malware Campaigns

DriveSurge has taken control of thousands of reputable websites, redirecting visitors to malicious PowerShell commands (ClickFix) or bogus browser‑update prompts (FakeUpdate). The campaign targets users across all sectors, turning trusted web properties into covert infection vectors and raising urgent third‑party risk concerns.

LiveThreat™ Intelligence · 📅 June 02, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
6 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

DriveSurge Hijacks Thousands of Websites for ClickFix and FakeUpdate Malware Campaigns

What Happened – The threat actor known as DriveSurge has compromised thousands of legitimate, high‑reputation websites and is using them to serve two social‑engineering payloads: “ClickFix” PowerShell command injections and “FakeUpdate” bogus browser‑update prompts. Visitors are silently redirected through the open‑source traffic distribution system (zTDS) to the most appropriate lure, delivering Windows or macOS malware.

Why It Matters for TPRM

  • Compromised third‑party sites become a covert attack vector against your employees, customers, and partners.
  • The pay‑per‑install model expands the threat quickly, increasing the likelihood of exposure for any organization that references or embeds external content.
  • Traditional perimeter defenses may miss the malicious redirects because the hosting domains appear legitimate.

Who Is Affected – All industries that host public‑facing web properties or embed third‑party widgets, including technology SaaS, e‑commerce, financial services, healthcare, government, and media.

Recommended Actions

  • Conduct a review of all third‑party web assets and embedded scripts for unauthorized JavaScript injections.
  • Enforce strict content‑security policies (CSP) and subresource integrity (SRI) for external resources.
  • Educate users to verify software updates only via native application menus, not browser prompts.
  • Deploy web‑gateway or DNS filtering that blocks known zTDS domains and suspicious “t.js” patterns.

Technical Notes – DriveSurge leverages the open‑source zTDS traffic distribution system (in use since 2015) to profile visitors and serve either a ClickFix PowerShell command or a FakeUpdate download. The ClickFix payload hijacks the clipboard and executes PowerShell commands; the FakeUpdate payload mimics updates for Chrome, Firefox, Edge, Safari, Opera, Brave, Yandex, Vivaldi, Samsung Internet, and UC Browser, delivering a ZIP of DLLs and a malicious executable. The campaign also includes an obfuscated JavaScript targeting macOS. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/hackers-hijack-thousands-of-sites-for-clickfix-and-fakeupdate-attacks/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

This is the scenario continuous vendor monitoring is built to catch.

When a vendor is compromised, your SOC 2 vendor-management controls are what produce the audit trail showing you knew, assessed, and acted. The Verisq AI Trust Operations platform tracks that continuously.

Explore the Verisq AI Trust Operations platform →