DriveSurge as an initial access broker on a pay-per-install model
Threat Actor Meta
Summary
Hide ▲
Show ▼
DriveSurge has shifted into an initial access broker role built around a pay-per-install (PPI) model, expanding monetized access delivery and increasing downstream intrusion risk. The actor’s use of zTDS to profile visitors and choose between FakeUpdates and ClickFix lures makes the ecosystem more efficient at turning redirected traffic into infections. The operation’s reach across thousands of compromised websites gives the model broad scale and repeatability.
Related Happenings
MacOS ClickFix Terminal-delivered DMG campaign
Campaign
H score37
First: 23.06.2026 21:30
Last: 23.06.2026 21:30
Sources 1
About this happening:
A macOS ClickFix campaign is using fake CAPTCHA pages and Terminal commands to quietly download and launch malicious DMG files, putting Mac devices at risk of...
MacOS ClickFix Terminal-delivered DMG campaign
CampaignAbout this happening: A macOS ClickFix campaign is using fake CAPTCHA pages and Terminal commands to quietly download and launch malicious DMG files, putting Mac devices at risk of...
DriveSurge large-scale website-hijack malware distribution campaign
Campaign
H score41
First: 02.06.2026 01:14
Last: 02.06.2026 01:14
Sources 1
How related:
Thousands of websites have been compromised in DriveSurge campaigns to redirect visitors to malware-delivery infrastructure, according to researchers at cybersecurity company SilentPush.
About this happening:
The DriveSurge campaign is redirecting visitors from thousands of compromised websites to malware-delivery infrastructure, creating a broad infection path through Cl...
DriveSurge large-scale website-hijack malware distribution campaign
CampaignHow related: Thousands of websites have been compromised in DriveSurge campaigns to redirect visitors to malware-delivery infrastructure, according to researchers at cybersecurity company SilentPush.
About this happening: The DriveSurge campaign is redirecting visitors from thousands of compromised websites to malware-delivery infrastructure, creating a broad infection path through Cl...
Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign
Campaign
H score33
First: 22.05.2026 14:30
Last: 22.05.2026 14:30
Sources 1
About this happening:
Cyber threat actors ran a malicious SEO-poisoning campaign that impersonated Google Gemini CLI and Anthropic Claude Code to push malicious downloads. The operation...
Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign
CampaignAbout this happening: Cyber threat actors ran a malicious SEO-poisoning campaign that impersonated Google Gemini CLI and Anthropic Claude Code to push malicious downloads. The operation...
Calypso telecommunications espionage campaign using Showboat and JFMBackdoor
Campaign
H score36
First: 21.05.2026 17:00
Last: 21.05.2026 17:00
Sources 1
About this happening:
A Calypso / Red Lamassu espionage campaign is targeting telecommunications providers with new Showboat and JFMBackdoor malware, increasing the risk of long-term co...
Calypso telecommunications espionage campaign using Showboat and JFMBackdoor
CampaignAbout this happening: A Calypso / Red Lamassu espionage campaign is targeting telecommunications providers with new Showboat and JFMBackdoor malware, increasing the risk of long-term co...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
H score57
First: 21.04.2026 17:00
Last: 21.04.2026 17:00
Sources 1
About this happening:
The Gentlemen ransomware-as-a-service operation is using an operator-maintained EDR-killer portfolio, led by GentleKiller, to disable security software before encrypti...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor MetaAbout this happening: The Gentlemen ransomware-as-a-service operation is using an operator-maintained EDR-killer portfolio, led by GentleKiller, to disable security software before encrypti...
Timeline
-
02.06.2026 01:14 2 articles · 1mo ago
DriveSurge operates as an initial access broker using a pay-per-install model
Initial DisclosureSilent Push describes DriveSurge as an initial access broker that uses a pay-per-install model to monetize compromised websites and drive visitors into malware-delivery chains. The operation routes traffic through zTDS to profile visitors and select either FakeUpdates or ClickFix lures, and the same infrastructure has been used since at least September 2025.
Show sources
- Hackers hijack thousands of sites for ClickFix and FakeUpdate attacks — www.bleepingcomputer.com — 02.06.2026 01:14
- Hackers hijack thousands of sites for ClickFix and FakeUpdate attacks — www.bleepingcomputer.com — 02.06.2026 01:14