blindthoughts
breaking · By

Active Campaign Hijacks Thousands of Sites to Push ClickFix and FakeUpdate Malware

What Happened

A threat actor tracked as DriveSurge is actively compromising thousands of websites and injecting malicious JavaScript that delivers malware to visitors through two well-worn but effective techniques: ClickFix and FakeUpdates. The campaign is large-scale and ongoing — not theoretical, not patched.

ClickFix presents victims with a fake error or CAPTCHA dialog that instructs them to paste a PowerShell or terminal command to "fix" the issue. The command is pre-loaded into the clipboard by the injected script. One click, one paste, one Enter keystroke — and the attacker owns the machine.

FakeUpdates (also known as SocGholish) serves a convincing fake browser-update overlay. The visitor downloads what appears to be a Chrome or Edge update; it is instead a malware dropper, typically leading to info-stealers, ransomware loaders, or remote access trojans.

Both techniques bypass traditional endpoint controls because the victim executes the payload voluntarily. No exploit, no CVE needed.

Why It Matters

If you run any public-facing website — WordPress, a custom PHP app, a static site with third-party JS — your site could already be serving this to your users without any visible sign. Compromised sites are typically infected via stolen FTP/SSH credentials, vulnerable plugins, or CMS admin panels exposed to brute force. The injected code is often obfuscated and appended to legitimate JS files or inserted as a new script tag, making casual inspection easy to miss.

Visitors to a compromised site are your users, your colleagues, and your customers. If even one of them runs the ClickFix payload on a corporate machine, the blast radius extends well beyond your server.

What To Do

For site owners and admins — check now:

  1. Audit your JS files. Diff current versions against your last known-good deploy or version control. Look for obfuscated blobs, unexpected eval(), atob(), or base64 strings appended to legitimate files.
  2. Check for unauthorized file modifications. Run find /var/www -newer /var/www/index.php -name "*.js" -o -name "*.php" (adjust path) to surface recently changed files.
  3. Review access logs for unusual POST requests to admin panels, /wp-admin, /xmlrpc.php, or your CMS login endpoint around the time any suspicious files were last modified.
  4. Rotate all credentials — FTP, SSH keys, CMS admin passwords, database passwords — especially if any were ever stored in plaintext or shared.
  5. Harden your CMS. Disable XML-RPC if unused, enforce 2FA on admin accounts, keep plugins/themes updated, and remove anything abandoned.
  6. Scan with a file-integrity tool. Tools like Wordfence (for WordPress) or a manual SHA checksum audit against your repo will surface injections that visual inspection misses.

For users who may have visited a suspicious site:

If you executed any clipboard-pasted command from a browser prompt in the last few weeks, treat the machine as compromised — isolate it, run a full malware scan, and rotate credentials that were accessible from that session.

The DriveSurge campaign is active and scaling. Check your sites today, not after the next incident.

Sources
  1. Hackers hijack thousands of sites for ClickFix and FakeUpdate attacks

Synthesized by Claude · sanity-checked before publish.

Share:𝕏inr/HN🦋@
Was this useful?