The DriveSurge operation has hijacked thousands of legitimate websites to execute ClickFix and FakeUpdate attacks, delivering malware through a sophisticated traffic distribution system (TDS) that targets both Windows and macOS users. This organized cybercriminal scheme, which has remained largely undetected for nearly a year, functions as an initial access broker, selling access to compromised systems to other threat actors.
The DriveSurge operation highlights the critical importance of monitoring for unexpected outbound traffic and suspicious JavaScript injections, as well as the necessity of blocking DriveSurge domains via real-time threat intelligence feeds. Organizations should focus on user education to prevent social engineering attacks that trick users into executing malware by recognizing fake error prompts and avoiding pasting unfamiliar commands into system dialogs.