DriveSurge Malware Campaign Hijacks Websites for ClickFix and FakeUpdate Attacks

Understanding the DriveSurge Malware Campaign

A website that looks completely legitimate can still become part of a malware delivery chain. The DriveSurge malware campaign, publicly reported in June 2026, uses compromised websites to redirect visitors to attacker-controlled infrastructure that delivers ClickFix and FakeUpdates lures. The campaign profiles visitors before presenting fake browser updates or command-execution prompts that can lead to malware execution on Windows and macOS systems.

The activity highlights how attackers can combine compromised websites, social engineering, and endpoint-focused malware delivery techniques to gain an initial foothold inside organizations.

Who Is DriveSurge?

DriveSurge is a threat actor associated with large-scale malware distribution operations. Researchers describe the group as operating in a manner similar to an initial access broker, helping distribute malware through compromised websites and traffic-redirection infrastructure.

Rather than focusing on a specific malware family, DriveSurge appears to provide access opportunities for downstream threat actors through a pay-per-install model. The group uses a traffic distribution system to evaluate visitors and determine which lure or payload should be delivered.

DriveSurge is significant because it combines multiple infection techniques, including FakeUpdates pages, ClickFix attacks, browser-update impersonation, and cross-platform malware delivery. By leveraging trusted websites that have already been compromised, the campaign may make malicious redirects appear less suspicious to users.

How the Attack Works

Key Findings from the Investigation

Researchers observed thousands of compromised legitimate websites redirecting visitors to infrastructure associated with the DriveSurge malware campaign.

The operation uses a traffic distribution system known as zTDS to profile visitors based on factors such as browser type, operating system, and context before selecting which lure to display.

FakeUpdates Malware Delivery

FakeUpdates pages impersonate browser update notifications and encourage users to download files used for malware delivery.

ClickFix Attacks and Command Execution

ClickFix attacks rely on social engineering to persuade users to copy and execute commands on their own systems. In Windows environments, these commands may involve PowerShell. On macOS, researchers observed clipboard-manipulation techniques that attempted to influence command execution through Terminal.

Featured resource

Why XDR Is Stronger With UEM

See how combining UEM and XDR bridges the security gap, using UEM as a proactive shield and XDR as a reactive sword to accelerate incident response.

Download the whitepaper

What Is ClickFix?

For organizations asking what is ClickFix, it is a social-engineering technique that instructs users to perform actions themselves rather than relying on a traditional exploit.

Victims are typically shown instructions that encourage them to copy and run commands from a command prompt, PowerShell window, or terminal session. This technique is better described as social engineering that tricks users into running malicious commands in Command Prompt, PowerShell, or Terminal.

What Remains Unclear

While researchers identified infrastructure and delivery mechanisms associated with the campaign, the full range of malware families distributed through the operation has not been publicly detailed.

It is also unclear how many organizations or users may have been successfully infected through the campaign.

Why the DriveSurge Campaign Matters

The DriveSurge malware campaign demonstrates how trusted websites can become part of an attack chain without users realizing it.

Traditional security approaches often focus on blocking malicious websites outright. However, when attackers compromise legitimate websites and selectively redirect visitors through traffic distribution systems, malicious activity may be harder for users and basic URL-blocking controls to recognize.

The campaign also highlights the risks associated with social engineering techniques that trick users into running commands in Command Prompt, PowerShell, or Terminal. Instead of exploiting software vulnerabilities directly, attackers attempt to convince users to execute commands themselves. This can reduce the effectiveness of controls that focus only on blocking malicious downloads, making command-line, and process monitoring more important.

Organizations increasingly need visibility into device activity, script execution, application installation behavior, and suspicious endpoint actions to identify threats before they develop into larger security incidents.

How Hexnode Can Help Reduce Risk

Hexnode UEM: Control Unauthorized Software Installation

The DriveSurge malware campaign relies on users downloading and executing files from untrusted sources.

Hexnode UEM can help organizations enforce application management policies, maintain device compliance, and manage app installation or restriction workflows on supported managed endpoints. When configured appropriately, these controls can help reduce the risk of unauthorized applications being installed on corporate devices.

Hexnode XDR: Investigate and Respond to Suspicious Endpoint Activity

ClickFix attacks frequently depend on users executing commands that may launch scripts, malware loaders, or follow-on payloads.

Hexnode XDR helps security teams investigate suspicious endpoint activity through endpoint-focused detection, investigation, and response capabilities. Security teams can use endpoint telemetry and investigation workflows to review suspicious process behavior and activity that may be associated with malware execution.

Security Investigation and Response

Analysts can use Hexnode XDR response actions such as device isolation and process termination to support endpoint incident remediation workflows.

Reducing Exposure to ClickFix and FakeUpdates Malware

The DriveSurge operation illustrates how modern malware campaigns increasingly blend social engineering, compromised websites, and targeted delivery infrastructure.

Users may encounter what appears to be a routine browser update or a harmless instruction to paste a command into a terminal window. In reality, these interactions can provide attackers with an opportunity to establish an initial foothold on a device.

Organizations should review browser security practices, restrict unauthorized software installations, monitor script execution activity, and educate users about the risks of unexpected update prompts and command-execution requests.

Recommended Security Measures

Strengthen Endpoint Controls

Implement application controls, device compliance policies, and software installation restrictions to reduce malware exposure.

Improve User Awareness

Train users to recognize fake browser updates, suspicious prompts, and requests to execute commands in PowerShell, Command Prompt, or Terminal.

Enhance Threat Detection

Use endpoint monitoring and investigation capabilities to identify suspicious processes, script execution, and malware-related activity as early as possible.

Combining endpoint hardening, application controls, security awareness, and endpoint investigation capabilities can help reduce exposure to malware delivery campaigns. Maintaining visibility across managed devices remains an important part of reducing initial-access risk.