Hackers, identified as DriveSurge, have compromised thousands of websites to execute large-scale malware distribution campaigns using ClickFix and FakeUpdates techniques, which trick users into downloading malicious software. The campaigns utilize a Traffic Distribution System (zTDS) to redirect visitors and employ social engineering tactics to facilitate malware infections.
SilentPush researchers identified that the DriveSurge threat actor leverages an open-source Traffic Distribution System (zTDS) to hijack high-reputation websites and redirect visitors to malware sites. For cybersecurity professionals, monitoring for JavaScript injections, specifically those following the ‘t.js?site=<id>’ pattern, and strengthening defenses against social engineering tactics like ClickFix and FakeUpdates, is crucial. This insight emphasizes enhancing web application security and user education to mitigate initial access broker threats operating on a pay-per-install model.