← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
A New Threat Actor Using ClickFix and Fake Update Drive-By Attacks in Thousands of Compromised Sites
WHITE DriveSurge AlienVault 2026-06-01 Modified: 2026-06-02
34
IOCs
MEDIUM VOLUME
A sophisticated threat actor named DriveSurge operates as an Initial Access Broker using a Pay-Per-Install model to deliver malware at scale. The actor compromises thousands of legitimate websites and uses zTDS (Traffic Distribution System) to silently redirect visitors to malicious content. Victims encounter either FakeUpdates campaigns that impersonate browser update prompts for 11 different browsers, or ClickFix attacks that trick users into executing malicious commands through fake error messages. DriveSurge's infrastructure utilizes bulletproof hosting services, primarily NiceNIC registrar, and has been operating since at least 2015. The campaigns target both Windows and macOS systems, employing sophisticated obfuscation techniques and clipboard hijacking to achieve infection. Eight technical fingerprints have been identified to track this actor's infrastructure and activities.
initial access brokerfakeupdatesztdsbrowser impersonationclickfixbulletproof hosting
Indicators of Compromise (34)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 IPv4 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 0ca424475803a1cb54908a81a00bd93f 2026-06-01
FileHash-MD5 f3926add1a4531ff324a6acb57d40769 2026-06-01
FileHash-SHA1 a4f0014474278238b5fe78fc2c4182b498012a33 2026-06-01
FileHash-SHA256 0c62c11e910d7c0d6b6c9800b70e78bfd9220e1f78bd7bb34ae4c3646d05f6e5 2026-06-01
FileHash-SHA256 29ac78c51bcdfe68c64830bdeb6e41437dd55e2691149741c9b78be03b6c82ea 2026-06-01
FileHash-SHA256 428bd0b0ac36dfdd223b3953dbe61c0baf227f893310b03e7afe3111462019c6 2026-06-01
FileHash-SHA256 7aa15de93cf85729ddf970e8d7897f69ece3ca29608f73e784a9ba40c9cea18d 2026-06-01
FileHash-SHA256 90aecb370dfb1a99a1f7de0a9c6842ab1b664521fddea16b0ec9a91f322646fc 2026-06-01
FileHash-SHA256 a84b032b49773c2318b11b1164d1aada69e940229aedbf8185c33fc7dd1d2cdf 2026-06-01
IPv4 147.45.42.200 2026-06-01
IPv4 147.45.42.205 2026-06-01
IPv4 46.226.166.57 2026-06-01
IPv4 91.92.240.127 2026-06-01
URL http://bseolized.com 2026-06-01
domain beacontrace.bond 2026-06-01
domain brightson.icu 2026-06-01
domain bseolized.com 2026-06-01
domain captioto.com 2026-06-01
domain coverlink.icu 2026-06-01
domain cptoptious.com 2026-06-01
domain datumprobe.icu 2026-06-01
domain eraggifts.icu 2026-06-01
domain jcdlforwarding.com 2026-06-01
domain jclforwarding.com 2026-06-01
domain keyview.icu 2026-06-01
domain maxintora.com 2026-06-01
domain newtdsone.shop 2026-06-01
domain traceglimpse.icu 2026-06-01
domain tracekey.icu 2026-06-01
domain webgleam.info 2026-06-01
domain ycyfugihih.cfd 2026-06-01
domain ztds.info 2026-06-01
hostname check.first-node.rocks 2026-06-01
hostname testio.ecartdev.com 2026-06-01
References (1)
↗ https://www.silentpush.com/blog/drivesurge/?utm_source=rss&utm_medium=rss&utm_campaign=drivesurge