{ "type": "Domain", "indicator": "jcdlforwarding.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/jcdlforwarding.com", "alexa": "http://www.alexa.com/siteinfo/jcdlforwarding.com", "indicator": "jcdlforwarding.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4385134231, "indicator": "jcdlforwarding.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "6a1a7e87f6f70533d1443f96", "name": "A New Threat Actor Using ClickFix and Fake Update Drive-By Attacks in Thousands of Compromised Sites", "description": "DriveSurge is a newly identified threat actor operating as an Initial Access Broker using a Pay-Per-Install model to supply victim leads to downstream actors. The actor has compromised thousands of websites, injecting malicious code that redirects visitors through zTDS (Traffic Distribution System) to deliver malware via two primary methods: FakeUpdates, which impersonate browser update prompts for Chrome, Firefox, Edge, Safari, and eight other browsers; and ClickFix, which tricks users into executing malicious PowerShell commands disguised as fixes. DriveSurge leverages sophisticated infrastructure including bulletproof hosting, obfuscated JavaScript injection patterns, and environment-specific targeting including macOS systems. The operation has been active since at least September 2025, utilizing specific technical fingerprints including unique file naming conventions and server configurations that enable detection and tracking of their evolving infrastructure.", "modified": "2026-06-01T09:36:41.363000", "created": "2026-05-30T06:07:03.886000", "tags": [ "initial access broker", "ztds", "clickfix", "drive-by attacks", "fakeupdates", "drivesurge", "macos targeting", "bulletproof hosting" ], "references": [ "https://www.silentpush.com/blog/drivesurge/" ], "public": 1, "adversary": "DriveSurge", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1090.002", "name": "External Proxy", "display_name": "T1090.002 - External Proxy" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 6, "IPv4": 4, "URL": 2, "domain": 18, "hostname": 2 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 386813, "modified_text": "20 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1db41e1b5ab184333bf0c2", "name": "Meet DriveSurge: A New Threat Actor Using ClickFix and Fake Update Drive-By Attacks in Thousands of Compromised Sites - Silent Push", "description": "", "modified": "2026-06-01T16:32:30.432000", "created": "2026-06-01T16:32:30.432000", "tags": [ "drivesurge", "screenshot", "web search", "clickfix", "inject", "mozilla firefox", "fingerprint", "pattern", "whois", "pivot", "virustotal", "fakeupdates", "path", "terminal", "defense", "february", "april", "ztds", "payload", "logic" ], "references": [ "https://www.silentpush.com/blog/drivesurge/?utm_source=rss&utm_medium=rss&utm_campaign=drivesurge" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 8, "IPv4": 4, "URL": 8, "domain": 19, "email": 1, "hostname": 3 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "13 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.silentpush.com/blog/drivesurge/", "https://www.silentpush.com/blog/drivesurge/?utm_source=rss&utm_medium=rss&utm_campaign=drivesurge" ], "related": { "alienvault": { "adversary": [ "DriveSurge" ], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "6a1a7e87f6f70533d1443f96", "name": "A New Threat Actor Using ClickFix and Fake Update Drive-By Attacks in Thousands of Compromised Sites", "description": "DriveSurge is a newly identified threat actor operating as an Initial Access Broker using a Pay-Per-Install model to supply victim leads to downstream actors. The actor has compromised thousands of websites, injecting malicious code that redirects visitors through zTDS (Traffic Distribution System) to deliver malware via two primary methods: FakeUpdates, which impersonate browser update prompts for Chrome, Firefox, Edge, Safari, and eight other browsers; and ClickFix, which tricks users into executing malicious PowerShell commands disguised as fixes. DriveSurge leverages sophisticated infrastructure including bulletproof hosting, obfuscated JavaScript injection patterns, and environment-specific targeting including macOS systems. The operation has been active since at least September 2025, utilizing specific technical fingerprints including unique file naming conventions and server configurations that enable detection and tracking of their evolving infrastructure.", "modified": "2026-06-01T09:36:41.363000", "created": "2026-05-30T06:07:03.886000", "tags": [ "initial access broker", "ztds", "clickfix", "drive-by attacks", "fakeupdates", "drivesurge", "macos targeting", "bulletproof hosting" ], "references": [ "https://www.silentpush.com/blog/drivesurge/" ], "public": 1, "adversary": "DriveSurge", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1090.002", "name": "External Proxy", "display_name": "T1090.002 - External Proxy" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 6, "IPv4": 4, "URL": 2, "domain": 18, "hostname": 2 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 386813, "modified_text": "20 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1db41e1b5ab184333bf0c2", "name": "Meet DriveSurge: A New Threat Actor Using ClickFix and Fake Update Drive-By Attacks in Thousands of Compromised Sites - Silent Push", "description": "", "modified": "2026-06-01T16:32:30.432000", "created": "2026-06-01T16:32:30.432000", "tags": [ "drivesurge", "screenshot", "web search", "clickfix", "inject", "mozilla firefox", "fingerprint", "pattern", "whois", "pivot", "virustotal", "fakeupdates", "path", "terminal", "defense", "february", "april", "ztds", "payload", "logic" ], "references": [ "https://www.silentpush.com/blog/drivesurge/?utm_source=rss&utm_medium=rss&utm_campaign=drivesurge" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 8, "IPv4": 4, "URL": 8, "domain": 19, "email": 1, "hostname": 3 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "13 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "jcdlforwarding.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "jcdlforwarding.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780379465.7350078 }