LenAI

LenAI is a cybercrime actor associated with the advertisement and sale of at least two malware/crimeware offerings: ErrTraffic and Aeternum C2. Since at least December 2025, LenAI has advertised and sold ErrTraffic on the Exploit.IN forum and Telegram under a Malware-as-a-Service model. Sekoia assessed with high confidence that LenAI operates the ErrTraffic "Beer" cluster and rents it to affiliates through a subscription model. ErrTraffic is a malicious JavaScript framework and traffic distribution system injected into compromised WordPress sites to display ClickFix lures and deliver malware. Reported features advertised by LenAI include a malicious WordPress plugin, AES and JavaScript obfuscation, Polygon smart contract resolution, ClickFix lures, geofiltering, OS detection, PowerShell payload delivery, and visit/execution statistics. The Beer cluster used multiple Polygon smart contracts and Quicknode RPC endpoints to resolve C2 infrastructure, and delivered malware including Vidar, Stealc, Remus, Salat, SmokeLoader, RATs, and other loaders. Supporting reporting also links LenAI to Aeternum C2, a C++ botnet loader advertised on underground forums for $200, later offered as a full toolkit sale for $10,000. Aeternum C2 uses the public Polygon blockchain for command-and-control by writing commands into smart contracts and having infected bots retrieve them via public RPC endpoints. It is operated through a web-based panel and includes anti-analysis features such as virtualization checks and options to reduce antivirus detection. Known alias in the provided content: LenAI.