Find notable cyber news and cases, enriched with sources, timelines, and signals.

DriveSurge as an initial access broker on a pay-per-install model

Threat Actor Meta
First reported
Last updated
Happening score
H score 41
1 unique sources, 1 articles

Summary

Hide ▲

DriveSurge has shifted into an initial access broker role built around a pay-per-install (PPI) model, expanding monetized access delivery and increasing downstream intrusion risk. The actor’s use of zTDS to profile visitors and choose between FakeUpdates and ClickFix lures makes the ecosystem more efficient at turning redirected traffic into infections. The operation’s reach across thousands of compromised websites gives the model broad scale and repeatability.

Related Happenings

MacOS ClickFix Terminal-delivered DMG campaign

Campaign
H score37 First: 23.06.2026 21:30 Last: 23.06.2026 21:30 Sources 1

About this happening: A macOS ClickFix campaign is using fake CAPTCHA pages and Terminal commands to quietly download and launch malicious DMG files, putting Mac devices at risk of...

DriveSurge large-scale website-hijack malware distribution campaign

Campaign
H score41 First: 02.06.2026 01:14 Last: 02.06.2026 01:14 Sources 1

How related: Thousands of websites have been compromised in DriveSurge campaigns to redirect visitors to malware-delivery infrastructure, according to researchers at cybersecurity company SilentPush.

About this happening: The DriveSurge campaign is redirecting visitors from thousands of compromised websites to malware-delivery infrastructure, creating a broad infection path through Cl...

Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign

Campaign
H score33 First: 22.05.2026 14:30 Last: 22.05.2026 14:30 Sources 1

About this happening: Cyber threat actors ran a malicious SEO-poisoning campaign that impersonated Google Gemini CLI and Anthropic Claude Code to push malicious downloads. The operation...

Calypso telecommunications espionage campaign using Showboat and JFMBackdoor

Campaign
H score36 First: 21.05.2026 17:00 Last: 21.05.2026 17:00 Sources 1

About this happening: A Calypso / Red Lamassu espionage campaign is targeting telecommunications providers with new Showboat and JFMBackdoor malware, increasing the risk of long-term co...

The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up

Threat Actor Meta
H score57 First: 21.04.2026 17:00 Last: 21.04.2026 17:00 Sources 1

About this happening: The Gentlemen ransomware-as-a-service operation is using an operator-maintained EDR-killer portfolio, led by GentleKiller, to disable security software before encrypti...

Timeline

  1. 02.06.2026 01:14 2 articles · 1mo ago

    DriveSurge operates as an initial access broker using a pay-per-install model

    Initial Disclosure

    Silent Push describes DriveSurge as an initial access broker that uses a pay-per-install model to monetize compromised websites and drive visitors into malware-delivery chains. The operation routes traffic through zTDS to profile visitors and select either FakeUpdates or ClickFix lures, and the same infrastructure has been used since at least September 2025.

    Show sources