Drive-By Download
Malware automatically downloaded and executed on a visitor's device simply by loading a malicious or compromised web page, requiring no clicks or deliberate action.
Also known as: drive-by infection, silent download, exploit kit attack
Last reviewed: 1 June 2026
A drive-by download exploits vulnerabilities in web browsers, browser plugins (such as PDF readers, Java, or historically Flash), or the operating system itself to silently install malware when a user visits an infected page. The attack requires no deliberate file download from the user — loading the page is enough.
Attackers deliver drive-by downloads in two ways: by compromising legitimate websites and injecting malicious scripts (as in a watering hole attack), or by setting up dedicated malicious pages promoted through malvertising, spam links, or phishing emails. Exploit kits — automated packages sold or rented on underground markets — streamline the process by probing visitors for vulnerabilities and serving the most effective exploit.
Successful infections can install ransomware, banking trojans, keyloggers, or botnet agents. Patch management is the most effective defence: keeping browsers, plugins, and operating systems current eliminates the majority of exploit-kit targets. NoScript browser extensions, ad blockers, and sandboxed browsing environments also significantly reduce attack surface.
Examples
- Visiting a compromised cooking blog triggers an exploit kit that detects an unpatched browser plugin and installs ransomware silently.
- A malicious ad on a news site serves an exploit targeting an outdated PDF reader, installing a banking trojan without any user interaction.