{ "type": "Domain", "indicator": "jclforwarding.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/jclforwarding.com", "alexa": "http://www.alexa.com/siteinfo/jclforwarding.com", "indicator": "jclforwarding.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4385134232, "indicator": "jclforwarding.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6a1dde5fb26dd1b1cbbdb913", "name": "A New Threat Actor Using ClickFix and Fake Update Drive-By Attacks in Thousands of Compromised Sites", "description": "A sophisticated threat actor named DriveSurge operates as an Initial Access Broker using a Pay-Per-Install model to deliver malware at scale. The actor compromises thousands of legitimate websites and uses zTDS (Traffic Distribution System) to silently redirect visitors to malicious content. Victims encounter either FakeUpdates campaigns that impersonate browser update prompts for 11 different browsers, or ClickFix attacks that trick users into executing malicious commands through fake error messages. DriveSurge's infrastructure utilizes bulletproof hosting services, primarily NiceNIC registrar, and has been operating since at least 2015. The campaigns target both Windows and macOS systems, employing sophisticated obfuscation techniques and clipboard hijacking to achieve infection. Eight technical fingerprints have been identified to track this actor's infrastructure and activities.", "modified": "2026-06-02T09:31:04.934000", "created": "2026-06-01T19:32:47.991000", "tags": [ "initial access broker", "fakeupdates", "ztds", "browser impersonation", "clickfix", "bulletproof hosting" ], "references": [ "https://www.silentpush.com/blog/drivesurge/?utm_source=rss&utm_medium=rss&utm_campaign=drivesurge" ], "public": 1, "adversary": "DriveSurge", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 6, "IPv4": 4, "URL": 1, "domain": 18, "hostname": 2 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 386982, "modified_text": "16 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1a7e87f6f70533d1443f96", "name": "A New Threat Actor Using ClickFix and Fake Update Drive-By Attacks in Thousands of Compromised Sites", "description": "DriveSurge is a newly identified threat actor operating as an Initial Access Broker using a Pay-Per-Install model to supply victim leads to downstream actors. The actor has compromised thousands of websites, injecting malicious code that redirects visitors through zTDS (Traffic Distribution System) to deliver malware via two primary methods: FakeUpdates, which impersonate browser update prompts for Chrome, Firefox, Edge, Safari, and eight other browsers; and ClickFix, which tricks users into executing malicious PowerShell commands disguised as fixes. DriveSurge leverages sophisticated infrastructure including bulletproof hosting, obfuscated JavaScript injection patterns, and environment-specific targeting including macOS systems. The operation has been active since at least September 2025, utilizing specific technical fingerprints including unique file naming conventions and server configurations that enable detection and tracking of their evolving infrastructure.", "modified": "2026-06-01T09:36:41.363000", "created": "2026-05-30T06:07:03.886000", "tags": [ "initial access broker", "ztds", "clickfix", "drive-by attacks", "fakeupdates", "drivesurge", "macos targeting", "bulletproof hosting" ], "references": [ "https://www.silentpush.com/blog/drivesurge/" ], "public": 1, "adversary": "DriveSurge", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1090.002", "name": "External Proxy", "display_name": "T1090.002 - External Proxy" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 6, "IPv4": 4, "URL": 2, "domain": 18, "hostname": 2 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 386984, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1db41e1b5ab184333bf0c2", "name": "Meet DriveSurge: A New Threat Actor Using ClickFix and Fake Update Drive-By Attacks in Thousands of Compromised Sites - Silent Push", "description": "", "modified": "2026-06-01T16:32:30.432000", "created": "2026-06-01T16:32:30.432000", "tags": [ "drivesurge", "screenshot", "web search", "clickfix", "inject", "mozilla firefox", "fingerprint", "pattern", "whois", "pivot", "virustotal", "fakeupdates", "path", "terminal", "defense", "february", "april", "ztds", "payload", "logic" ], "references": [ "https://www.silentpush.com/blog/drivesurge/?utm_source=rss&utm_medium=rss&utm_campaign=drivesurge" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 8, "IPv4": 4, "URL": 8, "domain": 19, "email": 1, "hostname": 3 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.silentpush.com/blog/drivesurge/?utm_source=rss&utm_medium=rss&utm_campaign=drivesurge", "https://www.silentpush.com/blog/drivesurge/" ], "related": { "alienvault": { "adversary": [ "DriveSurge" ], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6a1dde5fb26dd1b1cbbdb913", "name": "A New Threat Actor Using ClickFix and Fake Update Drive-By Attacks in Thousands of Compromised Sites", "description": "A sophisticated threat actor named DriveSurge operates as an Initial Access Broker using a Pay-Per-Install model to deliver malware at scale. The actor compromises thousands of legitimate websites and uses zTDS (Traffic Distribution System) to silently redirect visitors to malicious content. Victims encounter either FakeUpdates campaigns that impersonate browser update prompts for 11 different browsers, or ClickFix attacks that trick users into executing malicious commands through fake error messages. DriveSurge's infrastructure utilizes bulletproof hosting services, primarily NiceNIC registrar, and has been operating since at least 2015. The campaigns target both Windows and macOS systems, employing sophisticated obfuscation techniques and clipboard hijacking to achieve infection. Eight technical fingerprints have been identified to track this actor's infrastructure and activities.", "modified": "2026-06-02T09:31:04.934000", "created": "2026-06-01T19:32:47.991000", "tags": [ "initial access broker", "fakeupdates", "ztds", "browser impersonation", "clickfix", "bulletproof hosting" ], "references": [ "https://www.silentpush.com/blog/drivesurge/?utm_source=rss&utm_medium=rss&utm_campaign=drivesurge" ], "public": 1, "adversary": "DriveSurge", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 6, "IPv4": 4, "URL": 1, "domain": 18, "hostname": 2 }, "indicator_count": 34, "is_author": false, "is_subscribing": null, "subscriber_count": 386982, "modified_text": "16 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1a7e87f6f70533d1443f96", "name": "A New Threat Actor Using ClickFix and Fake Update Drive-By Attacks in Thousands of Compromised Sites", "description": "DriveSurge is a newly identified threat actor operating as an Initial Access Broker using a Pay-Per-Install model to supply victim leads to downstream actors. The actor has compromised thousands of websites, injecting malicious code that redirects visitors through zTDS (Traffic Distribution System) to deliver malware via two primary methods: FakeUpdates, which impersonate browser update prompts for Chrome, Firefox, Edge, Safari, and eight other browsers; and ClickFix, which tricks users into executing malicious PowerShell commands disguised as fixes. DriveSurge leverages sophisticated infrastructure including bulletproof hosting, obfuscated JavaScript injection patterns, and environment-specific targeting including macOS systems. The operation has been active since at least September 2025, utilizing specific technical fingerprints including unique file naming conventions and server configurations that enable detection and tracking of their evolving infrastructure.", "modified": "2026-06-01T09:36:41.363000", "created": "2026-05-30T06:07:03.886000", "tags": [ "initial access broker", "ztds", "clickfix", "drive-by attacks", "fakeupdates", "drivesurge", "macos targeting", "bulletproof hosting" ], "references": [ "https://www.silentpush.com/blog/drivesurge/" ], "public": 1, "adversary": "DriveSurge", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1588.004", "name": "Digital Certificates", "display_name": "T1588.004 - Digital Certificates" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.002", "name": "Spearphishing Link", "display_name": "T1566.002 - Spearphishing Link" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1090.002", "name": "External Proxy", "display_name": "T1090.002 - External Proxy" }, { "id": "T1583.006", "name": "Web Services", "display_name": "T1583.006 - Web Services" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 6, "IPv4": 4, "URL": 2, "domain": 18, "hostname": 2 }, "indicator_count": 35, "is_author": false, "is_subscribing": null, "subscriber_count": 386984, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a1db41e1b5ab184333bf0c2", "name": "Meet DriveSurge: A New Threat Actor Using ClickFix and Fake Update Drive-By Attacks in Thousands of Compromised Sites - Silent Push", "description": "", "modified": "2026-06-01T16:32:30.432000", "created": "2026-06-01T16:32:30.432000", "tags": [ "drivesurge", "screenshot", "web search", "clickfix", "inject", "mozilla firefox", "fingerprint", "pattern", "whois", "pivot", "virustotal", "fakeupdates", "path", "terminal", "defense", "february", "april", "ztds", "payload", "logic" ], "references": [ "https://www.silentpush.com/blog/drivesurge/?utm_source=rss&utm_medium=rss&utm_campaign=drivesurge" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 1, "FileHash-SHA256": 8, "IPv4": 4, "URL": 8, "domain": 19, "email": 1, "hostname": 3 }, "indicator_count": 46, "is_author": false, "is_subscribing": null, "subscriber_count": 863, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "jclforwarding.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "jclforwarding.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780453278.7411427 }