How many times have you had someone tell you, “I didn’t click anything,” as they hand you a PC filled with malware? It’s one of the go-to defensive explanations, but malware that can download and install itself is also surprisingly misunderstood.
That’s in part because, despite how often people claim “it just happened,” finding a drive-by download in the wild that actually infects your machine is now on the rarer side of malware attacks — for a few reasons I’ll explain.
That said, self-installing malware exists, and in some cases, loading a malicious webpage is all it takes.
This new malware attack just wont go away
It’s responsible for more attacks than ever, and shows no sign of slowing down.
You can get malware just by visiting a website
Invisible, unstoppable threats
The name “drive-by download” conjures up something from 90s gangland cop drama; your computer is infected with malware as someone speeds off down the street. The digital reality is somewhat similar: malware that installs itself on your device as a direct result of visiting a webpage, with no deliberate action on your part.
In many cases, you won’t see a suspicious download prompt or an installer suddenly launch. There is no “agree to continue” warning sign that tells you something shady is taking place on your machine.
Drive-by downloads as a concept have been around for decades at this point. Techniques have evolved, as early drive-by malware infections typically required you to accidentally press a disguised button or similar on the webpage, triggering the malware.
Modern browsers are much better at protecting against drive-by download attacks. Fully passive malware was at its most dangerous during the era of Flash, Java, and Adobe Reader, when exploit kits had a wide, relatively unpatched attack surface to work with. Modern browsers are more sandboxed, auto-update aggressively, and have largely eliminated plugin support.
However, drive-by malware delivery isn’t obsolete — it’s shifted how it works.
This is a stick-up
Browsers running the modern internet are quite complex pieces of software. Every time your browser loads a page, it’s processing HTML, executing JavaScript, rendering CSS, handling media, and running third-party scripts — often dozens of them from sources entirely outside the website’s control.
While browsers are really good at keeping us safe, each of these processes is a different way your browser can be exploited.
The persistent myth is that malware is something that happens to inattentive people — those who click suspicious links, download pirated software, or stray into the internet’s darker corners. It’s all part of a process that combines multiple exploits.
Compromised websites
Credit: Hacker NewsAs you might expect, compromised websites are a huge part of the problem when it comes to drive-by malware. It’s a particular problem because the website operator may not realize they’re serving malicious code or worse for a period, increasing the chance of infection.
So, in 2025, The Hacker News reported that 150,000 websites were compromised by a coordinated JavaScript injection attack designed to promote Chinese gambling sites, infecting millions of users with malicious landing pages.
Another drive-by download variant, known as SocGholish, also uses JavaScript exploits to inject malicious code into compromised legitimate websites — including well-ranked, high-traffic ones — and presents visitors with convincing fake browser update prompts.
This malware is linked to Russian hacking groups, and, according to the Center for Internet Security’s Q4 2024 malware report, accounted for more than 50 percent of all malware that quarter.
The problem for all internet users is that cross-site scripting (XSS) and SQL injection remain the most common vulnerability types in web applications, meaning the underlying weaknesses that allow site compromise aren’t going away.
In addition, the rise of vibe-coded web apps and websites by people with little experience is almost guaranteed to make problems like this worse.
Malvertising
Malicious adverts, otherwise known as malvertising, are one of the sure-fire ways to pick up malware without realizing what’s happened. While there are ways to spot malvertising campaigns, like all malware, they evolve quickly and are designed to act rapidly.
Malvertising is dangerous because most websites serve ads through third-party ad networks. Attackers buy ad space through those same networks and embed malicious code or redirectors in the ad creative. That means an otherwise clean website can accidentally serve a malicious advert without even having the site compromised, and your browser may struggle to distinguish otherwise.
Malvertising surged in the early 2020s, then declined a little. But since 2024, malware served through malicious ads has steadily increased, with AdMonsters reporting that one in every 160 ads served in the US was malicious.
Browsers are much better at protecting against malvertising, and ad/script blocking apps and extensions are an excellent way to protect your machine, but there are still some malvertisements that will slip through. For example, the RoughTed malvertising campaign used dynamic URLs to skirt around established blocker lists, meaning that malicious adverts would make their way onto legit websites.
Exploit kits
Exploit kits probe your browser and its components for known vulnerabilities the moment you load an infected page. If they find an unpatched version of Chrome, Firefox, or an outdated system component, they attempt to push a payload through that gap — no clicks required.
Tools like the Angler and RIG exploit kits drove a significant share of ransomware infections at their peak using exactly this method. The attack surface for this approach has narrowed as browsers have improved, but it hasn’t closed. According to the Recorded Futures H1 2025 report, in the first half of 2025 alone, attackers actively exploited 161 vulnerabilities with assigned CVEs, with nearly 70% requiring no authentication to execute.
You can actually protect yourself against drive-by downloads
You’re probably doing so already
Malware that installs itself silently is obviously a worry. You don’t want to be browsing the web and suddenly find your bank accounts wiped clean and someone using your identity to take out loans.
|
Action |
Why it matters |
|---|---|
|
Keep your browser and OS updated |
Browser developers patch exploited vulnerabilities constantly. The gap between a flaw being disclosed and an attacker weaponizing it can be days, which is another reason to hit the update button when it lights up. |
|
Use a script blocker |
Use a browser extension that blocks third-party ad scripts before they load, which should kill the malvertising problem dead. Google’s 2024 changes to Chrome’s browser extensions made script blockers more difficult to find, but there are a handful of Chrome apps that can help protect you. |
|
Be skeptical of browser update prompts on websites |
Your browser updates itself — it never asks for permission via a webpage pop-up. Any page that presents a download-and-run update prompt is a red flag, regardless of how convincing it looks. This is precisely how SocGholish operates. |
|
Use a DNS-level blocker |
Tools like NextDNS or Pi-hole filter known malicious domains at the network level, before your browser makes a connection. Works independently of browser security and covers every device on your network. |
|
Don’t run as an administrator by default |
Many infection stages require elevated privileges to install or persist. Running as a standard user limits what malware can actually do if it executes. |
This is the best DNS I’ve used—and it’s not because it’s fast
NextDNS is actually plenty fast, but it’s other features make it one of the best DNS options.
Note that while HTTPS has improved our internet security immensely, it doesn’t necessarily help you avoid this. HTTPS encrypts the connection between you and the server, but if the content being served is malicious — via a compromised ad network or injected script — the padlock is irrelevant. I mean, the padlock isn’t even there anymore, but you get the gist.
A fully HTTPS-enabled site can still deliver a malvertising payload through a third-party ad network it has no control over, which is why legitimate sites still serve malware if compromised.
Keep your browsers locked down
“But I didn’t click anything” is unfortunately not a guarantee that you’re not harboring dangerous malware. Browser protections have made drive-by malware attacks more difficult, but without the right browser configuration, you’re still at risk.
