Find notable cyber news and cases, enriched with sources, timelines, and signals.

DriveSurge large-scale website-hijack malware distribution campaign

Campaign
First reported
Last updated
Happening score
H score 41
1 unique sources, 1 articles

Summary

Hide ▲

The DriveSurge campaign is redirecting visitors from thousands of compromised websites to malware-delivery infrastructure, creating a broad infection path through ClickFix and FakeUpdates lures. The operation uses zTDS to profile each visitor and route them toward the lure most likely to succeed. DriveSurge is described as an initial access broker operating on a pay-per-install model, so the redirects can feed follow-on intrusions. The activity now extends beyond Windows to macOS clipboard-hijacking lures, increasing the number of endpoints at risk.

Related Happenings

MacOS ClickFix Terminal-delivered DMG campaign

Campaign
H score37 First: 23.06.2026 21:30 Last: 23.06.2026 21:30 Sources 1

About this happening: A macOS ClickFix campaign is using fake CAPTCHA pages and Terminal commands to quietly download and launch malicious DMG files, putting Mac devices at risk of...

TikTok and Instagram Reels Vidar social-engineering campaign

Campaign
H score37 First: 10.06.2026 19:00 Last: 10.06.2026 19:00 Sources 1

About this happening: A TikTok and Instagram Reels campaign is using fake free-software tutorials to push Vidar, turning social feeds into a high-reach malware delivery channel. The operati...

DriveSurge as an initial access broker on a pay-per-install model

Threat Actor Meta
H score41 First: 02.06.2026 01:14 Last: 02.06.2026 01:14 Sources 1

How related: According to Silent Push researchers, the DriveSurge threat actor primarily functions as an initial access broker (IAB) operating on a pay-per-install (PPI) model, enabling follow-on attacks.

About this happening: DriveSurge has shifted into an initial access broker role built around a pay-per-install (PPI) model, expanding monetized access delivery and increasing downstream intrusi...

Calypso telecommunications espionage campaign using Showboat and JFMBackdoor

Campaign
H score36 First: 21.05.2026 17:00 Last: 21.05.2026 17:00 Sources 1

About this happening: A Calypso / Red Lamassu espionage campaign is targeting telecommunications providers with new Showboat and JFMBackdoor malware, increasing the risk of long-term co...

OpenClaw fake installer GitHub campaign promoted by Bing AI

Campaign
H score36 First: 06.03.2026 00:37 Last: 06.03.2026 00:37 Sources 1

About this happening: A last month campaign used fake OpenClaw installers on GitHub and Bing AI-promoted search results to push malware loaders and infostealers to people trying...

Latest development: 09.03.2026 20:31

A malicious npm package named @openclaw-ai/openclawai, uploaded on March 3, 2026, masquerades as an OpenClaw installer and uses a postinstall hook to launch scripts/setup.js, display a fake CLI and iCloud Keychain prompt, and fetch a second-stage payload from trackpipe[.]dev. The chain installs a persistent RAT internally identified as GhostLoader and steals macOS Keychain data, browser credentials, crypto wallets, SSH keys, Apple Notes, iMessage history, Safari history, and Mail data before exfiltrating a tar.gz archive through the C2 server, Telegram Bot API, and GoFile.io.

Timeline

  1. 02.06.2026 01:14 2 articles · 1mo ago

    Initial report: DriveSurge large-scale website-hijack malware distribution campaign

    Initial Disclosure

    The operation starts by compromising reputable websites and inserting JavaScript that quietly redirects visitors off-site. Since at least September 2025, the same zTDS infrastructure has been selecting between FakeUpdates and ClickFix delivery paths.

    Show sources