Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

DriveSurge large-scale website-hijack malware distribution campaign

Campaign
First reported
Last updated
Happening score
H score 41
1 unique sources, 1 articles

Summary

Hide ▲

The DriveSurge campaign is redirecting visitors from thousands of compromised websites to malware-delivery infrastructure, creating a broad infection path through ClickFix and FakeUpdates lures. The operation uses zTDS to profile each visitor and route them toward the lure most likely to succeed. DriveSurge is described as an initial access broker operating on a pay-per-install model, so the redirects can feed follow-on intrusions. The activity now extends beyond Windows to macOS clipboard-hijacking lures, increasing the number of endpoints at risk.

Related Happenings

DriveSurge as an initial access broker on a pay-per-install model

Threat Actor Meta
First: 02.06.2026 01:14 Last: 02.06.2026 01:14 Sources 1

How related: According to Silent Push researchers, the DriveSurge threat actor primarily functions as an initial access broker (IAB) operating on a pay-per-install (PPI) model, enabling follow-on attacks.

About this happening: DriveSurge has shifted into an **initial access broker** role built around a **pay-per-install (PPI)** model, expanding monetized access delivery and increasing downstream intrusi...

Open Happening

Calypso telecommunications espionage campaign using Showboat and JFMBackdoor

Campaign
First: 21.05.2026 17:00 Last: 21.05.2026 17:00 Sources 1

About this happening: A **Calypso / Red Lamassu** espionage campaign is targeting **telecommunications providers** with new **Showboat** and **JFMBackdoor** malware, increasing the risk of long-term co...

Open Happening

OpenClaw fake installer GitHub campaign promoted by Bing AI

Campaign
First: 06.03.2026 00:37 Last: 06.03.2026 00:37 Sources 1

About this happening: A **last month** campaign used **fake OpenClaw installers** on **GitHub** and **Bing AI**-promoted search results to push **malware loaders** and **infostealers** to people trying...

Latest development: 09.03.2026 20:31

A malicious npm package named @openclaw-ai/openclawai, uploaded on March 3, 2026, masquerades as an OpenClaw installer and uses a postinstall hook to launch scripts/setup.js, display a fake CLI and iCloud Keychain prompt, and fetch a second-stage payload from trackpipe[.]dev. The chain installs a persistent RAT internally identified as GhostLoader and steals macOS Keychain data, browser credentials, crypto wallets, SSH keys, Apple Notes, iMessage history, Safari history, and Mail data before exfiltrating a tar.gz archive through the C2 server, Telegram Bot API, and GoFile.io.

Open Happening

CRESCENTHARVEST Windows RAT and info-stealer activity

Malware Activity
First: 19.02.2026 10:13 Last: 19.02.2026 10:13 Sources 1

About this happening: The **CRESCENTHARVEST** malware activity centers on **version.dll**, a **Windows RAT and information stealer** that can execute commands, log keystrokes, and exfiltrate data. It m...

Open Happening

ClickFix DNS-based nslookup staging campaign

Campaign
First: 15.02.2026 16:10 Last: 15.02.2026 16:10 Sources 1

About this happening: The **ClickFix** campaign has added **DNS-based staging** that uses **nslookup** in the **Windows Run dialog** to fetch and run a second-stage payload, making malicious execution...

Open Happening

Timeline

  1. 02.06.2026 01:14 2 articles · 3h ago

    Initial report: DriveSurge large-scale website-hijack malware distribution campaign

    Initial Disclosure

    The operation starts by compromising reputable websites and inserting JavaScript that quietly redirects visitors off-site. Since at least **September 2025**, the same **zTDS** infrastructure has been selecting between **FakeUpdates** and **ClickFix** delivery paths.

    Show sources
    Open in new tab