DriveSurge large-scale website-hijack malware distribution campaign
Campaign
Summary
Hide ▲
Show ▼
The DriveSurge campaign is redirecting visitors from thousands of compromised websites to malware-delivery infrastructure, creating a broad infection path through ClickFix and FakeUpdates lures. The operation uses zTDS to profile each visitor and route them toward the lure most likely to succeed. DriveSurge is described as an initial access broker operating on a pay-per-install model, so the redirects can feed follow-on intrusions. The activity now extends beyond Windows to macOS clipboard-hijacking lures, increasing the number of endpoints at risk.
Related Happenings
MacOS ClickFix Terminal-delivered DMG campaign
Campaign
H score37
First: 23.06.2026 21:30
Last: 23.06.2026 21:30
Sources 1
About this happening:
A macOS ClickFix campaign is using fake CAPTCHA pages and Terminal commands to quietly download and launch malicious DMG files, putting Mac devices at risk of...
MacOS ClickFix Terminal-delivered DMG campaign
CampaignAbout this happening: A macOS ClickFix campaign is using fake CAPTCHA pages and Terminal commands to quietly download and launch malicious DMG files, putting Mac devices at risk of...
TikTok and Instagram Reels Vidar social-engineering campaign
Campaign
H score37
First: 10.06.2026 19:00
Last: 10.06.2026 19:00
Sources 1
About this happening:
A TikTok and Instagram Reels campaign is using fake free-software tutorials to push Vidar, turning social feeds into a high-reach malware delivery channel. The operati...
TikTok and Instagram Reels Vidar social-engineering campaign
CampaignAbout this happening: A TikTok and Instagram Reels campaign is using fake free-software tutorials to push Vidar, turning social feeds into a high-reach malware delivery channel. The operati...
DriveSurge as an initial access broker on a pay-per-install model
Threat Actor Meta
H score41
First: 02.06.2026 01:14
Last: 02.06.2026 01:14
Sources 1
How related:
According to Silent Push researchers, the DriveSurge threat actor primarily functions as an initial access broker (IAB) operating on a pay-per-install (PPI) model, enabling follow-on attacks.
About this happening:
DriveSurge has shifted into an initial access broker role built around a pay-per-install (PPI) model, expanding monetized access delivery and increasing downstream intrusi...
DriveSurge as an initial access broker on a pay-per-install model
Threat Actor MetaHow related: According to Silent Push researchers, the DriveSurge threat actor primarily functions as an initial access broker (IAB) operating on a pay-per-install (PPI) model, enabling follow-on attacks.
About this happening: DriveSurge has shifted into an initial access broker role built around a pay-per-install (PPI) model, expanding monetized access delivery and increasing downstream intrusi...
Calypso telecommunications espionage campaign using Showboat and JFMBackdoor
Campaign
H score36
First: 21.05.2026 17:00
Last: 21.05.2026 17:00
Sources 1
About this happening:
A Calypso / Red Lamassu espionage campaign is targeting telecommunications providers with new Showboat and JFMBackdoor malware, increasing the risk of long-term co...
Calypso telecommunications espionage campaign using Showboat and JFMBackdoor
CampaignAbout this happening: A Calypso / Red Lamassu espionage campaign is targeting telecommunications providers with new Showboat and JFMBackdoor malware, increasing the risk of long-term co...
OpenClaw fake installer GitHub campaign promoted by Bing AI
Campaign
H score36
First: 06.03.2026 00:37
Last: 06.03.2026 00:37
Sources 1
About this happening:
A last month campaign used fake OpenClaw installers on GitHub and Bing AI-promoted search results to push malware loaders and infostealers to people trying...
OpenClaw fake installer GitHub campaign promoted by Bing AI
CampaignAbout this happening: A last month campaign used fake OpenClaw installers on GitHub and Bing AI-promoted search results to push malware loaders and infostealers to people trying...
Latest development: 09.03.2026 20:31
A malicious npm package named @openclaw-ai/openclawai, uploaded on March 3, 2026, masquerades as an OpenClaw installer and uses a postinstall hook to launch scripts/setup.js, display a fake CLI and iCloud Keychain prompt, and fetch a second-stage payload from trackpipe[.]dev. The chain installs a persistent RAT internally identified as GhostLoader and steals macOS Keychain data, browser credentials, crypto wallets, SSH keys, Apple Notes, iMessage history, Safari history, and Mail data before exfiltrating a tar.gz archive through the C2 server, Telegram Bot API, and GoFile.io.
Timeline
-
02.06.2026 01:14 2 articles · 1mo ago
Initial report: DriveSurge large-scale website-hijack malware distribution campaign
Initial DisclosureThe operation starts by compromising reputable websites and inserting JavaScript that quietly redirects visitors off-site. Since at least September 2025, the same zTDS infrastructure has been selecting between FakeUpdates and ClickFix delivery paths.
Show sources
- Hackers hijack thousands of sites for ClickFix and FakeUpdate attacks — www.bleepingcomputer.com — 02.06.2026 01:14
- Hackers hijack thousands of sites for ClickFix and FakeUpdate attacks — www.bleepingcomputer.com — 02.06.2026 01:14