A sneaky, wide-scale IAB operation uses a malicious traffic distribution system (TDS) to redirect visitors of trusted websites to ones that deliver malware.
June 2, 2026
Threat actors have compromised thousands of websites for the purpose of engineering industrialized ClickFix and FakeUpdate attacks in an organized malware delivery operation aimed at selling initial access to systems. The campaign targets not only Windows users but also macOS systems and appears to be a mature cybercriminal ecosystem that avoided detection for nearly a year.
The operation — dubbed DriveSurge by the researchers at Silent Push who discovered the activity — appears to function as an initial access broker (IAB) "using a pay-per-install (PPI) model to supply downstream threat actors with high-quality victim leads," according to a recently published report.
The operation's primary weapon is a technique known as a traffic distribution system (TDS), which specifically uses an open source variant called zTDS. zTDS, in use since at least 2015, is publicly available at ztds[.]info. This system acts as the foundational engine of the activity, with compromised websites setting zTDS domains for traffic victims of ClickFix and FakeUpdate websites, acccording to Silent Push.
