DriveSurge compromises legitimate websites to inject scripts that route visitors through zTDS, leading them to fake browser updates and ClickFix-style prompts. This operation resembles an initial-access broker model, where successful infections generate leads for downstream threat actors. The actor employs tactics that avoid detection by site administrators, allowing infections to go unnoticed during routine checks.