~/f4n6 $ grep -r "Unveiling ErrTraffic: inside a growing ClickFix malware distribution framework" ./investigations/ --include="*.md"

Unveiling ErrTraffic: inside a growing ClickFix malware distribution framework

Jeff Davies 16 Jun 2026 6 min read

1. Executive summary

Sekoia has documented ErrTraffic, a JavaScript-based Malware-as-a-Service (MaaS) framework injected into compromised WordPress sites to deliver ClickFix social-engineering lures and subsequent malware payloads. The framework uses the EtherHiding technique, retrieving its command-and-control (C2) server address from a smart contract on a public blockchain, which allows the operator to rotate infrastructure without redeploying code across the compromised-site fleet. The framework is advertised on the Exploit.IN cybercrime forum and Telegram by the handle LenAI (subscription USD 300–380/month; source-code resale USD 1,500–4,500). ErrTraffic v3 is the current iteration, documented by LevelBlue in April 2026. Attribution to either "ErrTraffic" or "LenAI" as named threat actors is unconfirmed — neither has a MITRE ATT&CK profile in the verified reference data. EMEA financial-services entities running WordPress-based web properties (customer portals, marketing sites, investor-relations pages, third-party-hosted micro-sites) face a credible exposure surface, and any successful ClickFix-driven payload execution against finance staff handling payments or treasury functions would constitute a reportable ICT-related incident under DORA.

2. Regulatory framing

Article Trigger (fact in this item) Practical impact
DORA Art. 28 — ICT third-party risk (general principles) ErrTraffic is delivered through compromised WordPress sites; WordPress and its plugin/theme supply chain constitute ICT third-party risk for any entity operating a WordPress-hosted web property. Financial entities must ensure third-party WordPress hosting, plugin, and theme providers are covered by their ICT risk-management framework and that residual risk is documented.
DORA Art. 29 — Preliminary assessment of ICT concentration risk WordPress is a widely-deployed CMS; a single ErrTraffic campaign can simultaneously target many financial-sector web properties, creating concentration risk on the WordPress platform and on shared plugin ecosystems. Entities should assess whether reliance on WordPress or specific plugins creates concentration risk and consider diversification or compensating controls.
DORA Art. 30 — Key contractual provisions with ICT third-party providers Hosting and managed-WordPress contracts must support incident response, audit, and notification in the event a provider's infrastructure is used to deliver ErrTraffic. Contracts with hosting/CDN/managed-WordPress vendors should be reviewed for clauses covering compromise notification, forensic cooperation, and termination on security grounds.
NIS2 Art. 21(2)(d) — Supply chain security measures ErrTraffic is distributed via a supply-chain compromise (injected JavaScript on WordPress sites, plus a malicious WordPress plugin used by affiliates). In-scope entities must apply supply-chain security measures covering CMS platforms, plugins, themes, and any third-party scripts loaded by web properties.
DORA Art. 17 — ICT-related incident management process A successful ClickFix execution against a finance user would constitute an ICT-related incident requiring formal handling. Incident-response playbooks should include a ClickFix / fake-CAPTCHA scenario and a WordPress-compromise scenario.
DORA Art. 18 — Classification of ICT-related incidents and cyber threats ErrTraffic campaigns and the underlying ClickFix technique must be classified within the entity's ICT-incident taxonomy. Ensure ErrTraffic / ClickFix is mapped to the entity's incident-classification scheme with defined severity tiers.
DORA Art. 19 — Reporting of major ICT-related incidents to competent authorities A major incident originating from ErrTraffic delivery would trigger reporting obligations. Confirm reporting workflows, templates, and competent-authority contacts are current and rehearsed.
DORA Art. 24 — Digital operational resilience testing (general requirements) ErrTraffic's ClickFix social-engineering vector should be exercised in resilience testing (e.g., phishing/awareness programmes, tabletop exercises). Include ClickFix-style lures in awareness training and tabletop scenarios.
NIS2 Art. 23 — Incident reporting obligations In-scope entities experiencing an incident linked to ErrTraffic must follow early-warning / incident-notification timelines. Verify incident-reporting timelines and CSIRT contact details are documented.
UK NIS 2018 — OES/RDSP duties UK OES/RDSPs operating WordPress-hosted services must consider ErrTraffic within their security duties. UK operators should ensure WordPress estates are within scope of OES/RDSP security measures.

3. Technical analysis & attack chain

  1. Compromise of WordPress infrastructure. Attackers gain access to WordPress sites (mechanism not detailed in the source material — likely credential abuse, vulnerable plugin, or unpatched core; treat as unconfirmed).
  2. Injection of ErrTraffic JavaScript. A malicious JavaScript payload is injected into the compromised WordPress site. ErrTraffic is sold as a MaaS accompanied by a malicious WordPress plugin that facilitates deployment and an administration panel for managing payloads, statistics, geolocation-based filtering, and other features.
  3. EtherHiding Dead Drop Resolver (DDR) lookup. The injected script queries a smart contract on a public blockchain to retrieve the current ErrTraffic C2 server address. This is the same EtherHiding technique used by the ClearFake threat family.
  4. ClickFix lure delivery. The resolved C2 serves a ClickFix social-engineering lure (fake CAPTCHA / "verify you are human" / "fix a problem" prompts) to the visitor.
  5. Payload delivery and execution. If the victim complies with the ClickFix instructions, the framework delivers and executes a follow-on malware payload (specific families not enumerated in the source material).
  6. Affiliate operation. Affiliates rent access via a queue-based, limited-slot subscription model advertised by LenAI on Exploit.IN and Telegram, with monthly fees rising from USD 300 to USD 380 across the first half of 2026, and source-code resale rising from USD 1,500 (January) to USD 3,000 (April), reaching USD 4,500 with lifetime updates and support.

Technical specifics relevant to defenders

  • Delivery platform: WordPress (PHP/MySQL CMS). The framework is delivered both as injected JavaScript and as a deployable malicious WordPress plugin.
  • C2 resolution mechanism: EtherHiding — the C2 address is fetched from a smart contract on a public blockchain rather than being hard-coded. This means blocking a single IP or domain does not stop the campaign; the operator can rotate C2 by updating the smart-contract state.
  • Operational model: MaaS with a queue-based, limited-rental subscription. The operator (LenAI) also offers a free one-day trial and a one-day refund window on rentals, and sells source code "as-is" for resale.
  • Version lineage: ErrTraffic v1 documented late 2025 by HudsonRock; ErrTraffic v3 documented April 2026 by LevelBlue. The framework has iterated multiple times in under 12 months.
  • Similar framework: ClearFake (referenced as the closest analogue using the same EtherHiding DDR pattern).

Unconfirmed / single-sourced claims: The source material does not enumerate specific C2 IP addresses, on-chain smart-contract addresses, file-system artefacts, persistence mechanisms, or post-exploitation capabilities of the delivered payload. Any such detail in downstream reporting should be treated as unconfirmed until corroborated. Attribution to "ErrTraffic" or "LenAI" as named actors is unconfirmed — neither has a MITRE ATT&CK profile in the verified reference data.

4. Mitigation & containment

P1 — within 24 hours

  • Inventory WordPress exposure. Enumerate every WordPress site, including marketing, investor-relations, and customer-portal properties, plus any third-party-hosted micro-sites. Identify hosting provider, plugin set, theme, and last-updated date.
  • Block ClickFix-style social engineering at the user layer. Push an emergency user-awareness notice to finance, treasury, and payments staff describing the ClickFix pattern (fake "verify you are human" / "fix a problem" prompts that ask the user to paste content into Run / Terminal / browser dev-tools).
  • Restrict outbound to blockchain RPC endpoints at the egress proxy for any user-segment that does not have a business need to interact with smart contracts (this is a containment step, not a permanent block — coordinate with Web3 / treasury teams first).

P2 — within 72 hours

  • Patch and harden WordPress. Update WordPress core, all plugins, and themes to the latest vendor releases. Remove unused plugins and themes. Rotate all WordPress admin credentials and any database credentials exposed to the application tier.
  • Audit for ErrTraffic indicators. Search WordPress filesystems and databases for injected JavaScript referencing smart-contract reads, unfamiliar <script> tags in headers/footers, and unauthorised admin users. Review WordPress audit logs for unknown plugin installations or admin actions.
  • Disable and remove any plugin matching the ErrTraffic malicious-plugin profile if identified.
  • WAF / CDN rules. Add or tighten rules to block known ClickFix-style payload patterns and to alert on injected inline JavaScript in WordPress responses.
  • Review third-party contractual posture under DORA Art. 30 for hosting and managed-WordPress providers; confirm incident-notification and forensic-cooperation clauses are in place.

P3 — within 7 days

  • Tabletop exercise. Run a ClickFix-driven incident scenario through the DORA Art. 17 incident-management process, including DORA Art. 18 classification and DORA Art. 19 reporting rehearsal.
  • Supply-chain review under NIS2 Art. 21(2)(d). Document the WordPress / plugin / theme supply chain and assign risk treatment per supplier.
  • Concentration-risk assessment under DORA Art. 29. Quantify exposure to WordPress as a platform and to any single plugin ecosystem.
  • User awareness training. Refresh ClickFix-specific training for all staff handling payments, treasury, or privileged workflows.

5. Indicators of compromise

No indicators of compromise (specific C2 IPs, on-chain smart-contract addresses, file hashes, or filenames) are available in the source material. The framework's defining characteristic — EtherHiding C2 resolution via a public-blockchain smart contract — means that any single C2 indicator will be short-lived and rotated by the operator via the smart contract.

6. Detection

Insufficient indicators to author detection rules. The source material does not provide specific file hashes, distinctive strings, mutex names, scheduled-task names, registry keys, or hard-coded values that would support a YARA rule, and does not provide specific process, network, registry, or scheduled-task behavioural indicators that would support a Sigma rule. Defenders should monitor for the behavioural indicators of ErrTraffic-style compromise on WordPress estates (unexpected inline JavaScript, unfamiliar admin users, modified theme/plugin files) using their existing CMS-integrity monitoring.

7. Sources

  • Sekoia. Unveiling ErrTraffic: inside a growing ClickFix malware distribution framework. 16 June 2026. https://blog.sekoia.io/unveiling-errtraffic-inside-a-growing-clickfix-malware-distribution-framework/

8. Adverse Trace position

Severity: moderate. ErrTraffic is a credible, actively-sold MaaS framework with a queue-based affiliate model and a blockchain-rotated C2 that frustrates traditional IP/domain blocking. The principal risk to EMEA financial services is twofold: (a) compromise of any WordPress-hosted web property that touches customers or staff, and (a) ClickFix-driven payload execution against finance users handling payments or treasury workflows. Attribution to "ErrTraffic" or "LenAI" as named actors remains unconfirmed in the verified reference data. Adverse Trace will continue to monitor ErrTraffic infrastructure, track ErrTraffic v3 and successor versions, and update this advisory with concrete IOCs and detection content as they become available. Clients should prioritise the P1 inventory and user-awareness steps above and confirm DORA Art. 17/18/19 reporting workflows are rehearsed against a ClickFix scenario.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.

Post this to LinkedIn
Formatting is converted automatically — headings, bullets, a link back & hashtags. Paste straight in.
J
Jeff Davies