ErrTraffic

ErrTraffic is a Malware-as-a-Service (MaaS) traffic distribution framework used to automate ClickFix social-engineering attacks and distribute malware. It is primarily associated with malicious JavaScript injected into compromised websites, especially WordPress sites, where it displays fake browser or system error lures such as BSOD, reCAPTCHA, Cloudflare verification, browser, font, and update-themed prompts. Victims are induced to copy and execute malicious commands, including clipboard-delivered PowerShell, resulting in payload delivery. ErrTraffic has been advertised on Russian-speaking underground forums since at least late 2025 by the actor LenAI and has been described as a self-hosted TDS sold commercially.

Observed campaigns show ErrTraffic primarily targeting compromised WordPress environments. Attackers used stolen administrator credentials to access sites and deployed persistent PHP backdoors, including a malicious must-use plugin named session-manager.php. Reported backdoor capabilities include credential harvesting, persistence, anti-detection logic, visitor analytics beacons, multiple webshell channels, and in some cases WooCommerce skimming. Malicious JavaScript was injected into page footers or served via endpoints such as /cf.js and /api/css.js. ErrTraffic supports geofiltering, OS detection, multilingual lures, and selective victim targeting, and has been reported to support payload delivery across Windows, macOS, Android, and Linux.

A notable feature of ErrTraffic is its use of EtherHiding and Polygon blockchain smart contracts as a dead-drop resolver to conceal and rotate command-and-control infrastructure. Researchers observed the framework querying Polygon RPC endpoints and smart contracts, including use of wallet address 0x08207B087F61d7e95E441E15fd6d40BEfd6eD308 and the getURL() selector 0x38bcdc1c, to retrieve attacker-controlled infrastructure. Backend communications and payload delivery have been reported as encrypted using AES-GCM or RC4 depending on cluster or version.

Research identified at least two operational clusters, referred to as Analytics and Beer. The Analytics cluster was associated with WordPress compromises, persistent MU-plugin backdoors, credential theft, analytics beacons to webanalytics-cdn domains, and Vidar delivery. The Beer cluster used multiple smart contracts, often .beer domains, and delivered a broader range of malware including Vidar, Stealc, Remus, Salat, SmokeLoader, DanaBot, HijackLoader, RATs, and other loaders. Fake AI-themed sites were also used in some campaigns, including antigravity[.]study impersonating Google Antigravity and chatgpt-web[.]vip impersonating ChatGPT.

High-confidence indicators mentioned in the content include domains such as travel-js-ns.beer, vsactivens.beer, clip-stash.beer, js-server.beer, ns-claude-js.beer, ponikas.cyou, nextpgh3.com, abrikos.xyz, pohuimne.lol, microchlen.lat, webanalytics-cdn.icu, webanalytics-cdn.cyou, webanalytics-cdn.sbs, webanalytics-cdn.cfd, and traffadmin.monster; the URL https://devltd.top/flomowk2.zip; and hashes MD5 1f5a7f45c9ad8f06b9bf1ddc2a99c8fa, SHA-1 0f769f459f9ed3e02c3d76af39dafc4e944f871b, and SHA-256 83264e9216fb747d9e0048c6559d66dfca05cf50a1d415ecf212c879d08741ce.