A new and rapidly growing cybercrime tool called ErrTraffic is making waves across the threat landscape, targeting internet users through cleverly disguised verification screens.
The framework tricks victims into running malicious PowerShell commands on their own machines, all while believing they are simply completing a routine security check.
It first appeared in late 2025 and has since grown into a full Malware-as-a-Service operation that allows cybercriminals to rent the tool and deploy their own attacks against a wide range of targets.
ErrTraffic works by injecting a harmful JavaScript snippet into legitimate but compromised WordPress websites.
When an unsuspecting visitor lands on one of these pages, they are shown a fake verification screen that closely mimics trusted services like Google reCAPTCHA or Cloudflare Turnstile.
The victim is prompted to press a keyboard shortcut, which secretly executes a PowerShell command that has already been quietly loaded into their clipboard by the malicious background script.
Analysts at Sekoia said in a report shared with Cyber Security News (CSN) that ErrTraffic is built on the ClickFix social engineering tactic and uses a technique called EtherHiding to conceal its command-and-control infrastructure inside Polygon blockchain smart contracts.
This design makes it significantly harder for security tools to detect and block malicious traffic, since the attacker infrastructure can be rotated without redeploying code.
The tool is sold by a threat actor operating under the handle LenAI on the cybercrime forum Exploit.IN and through Telegram.
Pricing climbed throughout 2026, with monthly subscriptions rising from $300 to $380 and source code prices jumping from $1,500 in January to $4,500 with lifetime updates included.
.webp)
The steep pricing reflects both the framework’s effectiveness and its growing reputation within underground criminal communities.
Security researchers identified two distinct ErrTraffic clusters, named “Analytics” and “Beer,” each running separate infrastructure and delivering different malware families including Vidar, Stealc, Remus, Salat, SmokeLoader, and various remote access tools.
Some WordPress sites were found infected by both clusters simultaneously, pointing to competition and operational overlap between the multiple threat actors leveraging this framework.
The infection chain begins the moment a visitor loads a compromised WordPress page. A hidden JavaScript payload, encoded using Base64 and XOR techniques, queries the Polygon blockchain to retrieve the active C2 server address.
This rotating infrastructure model allows attackers to swap servers daily without modifying the thousands of infected websites already hosting their injected code.
Once the C2 address is resolved, the script loads the ClickFix lure through API endpoints such as /cf.js or /api/css.js, depending on the active cluster.
The lure renders a convincing CAPTCHA or Cloudflare Turnstile screen that tells the visitor to verify themselves using a keyboard shortcut.
Running that command triggers a PowerShell script that downloads and executes the final payload, ranging from infostealers to loaders and remote access tools.
.webp)
Attackers also impersonate legitimate AI platforms to extend ErrTraffic’s reach. Malicious websites posing as Google Antigravity and ChatGPT were used to deliver the same ClickFix lure, targeting users searching for AI software.
These campaigns are believed to be spread via malvertising, allowing them to reach victims entirely outside the compromised WordPress ecosystem.
After gaining entry to a WordPress site through stolen administrator credentials, attackers deploy a PHP backdoor named session-manager.php inside the mu-plugins directory, where WordPress automatically loads it without any manual activation.
The implant harvests login credentials by intercepting authentication requests, skims WooCommerce order data in a server-side Magecart-style attack, and provides a webshell for remote code execution.
To avoid detection, the backdoor monitors incoming User-Agent strings for signatures belonging to tools like Wordfence and Nikto, then pauses all malicious behavior for thirty minutes when those tools are identified.
Defenders should enable PowerShell ScriptBlock logging to catch XOR-decoded commands tied to ErrTraffic, and monitor blockchain RPC connections followed immediately by PowerShell execution as high-confidence behavioral indicators.
Regularly auditing mu-plugins directories and rotating WordPress credentials remain strong baseline protective steps.
Indicators of Compromise (IoCs):-
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。
