DriveSurge is a newly identified threat actor operating as an Initial Access Broker using a Pay-Per-Install model to supply victim leads to downstream actors. The actor has compromised thousands of websites, injecting malicious code that redirects visitors through zTDS (Traffic Distribution System) to deliver malware via two primary methods: FakeUpdates, which impersonate browser update prompts for Chrome, Firefox, Edge, Safari, and eight other browsers; and ClickFix, which tricks users into executing malicious PowerShell commands disguised as fixes. DriveSurge leverages sophisticated infrastructure including bulletproof hosting, obfuscated JavaScript injection patterns, and environment-specific targeting including macOS systems. The operation has been active since at least September 2025, utilizing specific technical fingerprints including unique file naming conventions and server configurations that enable detection and tracking of their evolving infrastructure.