A new cybercrime tool named ErrTraffic has emerged, enabling attackers to deceive users into executing malicious PowerShell commands through counterfeit verification screens. This Malware-as-a-Service (MaaS) platform has rapidly gained traction since its late 2025 debut, offering cybercriminals an accessible means to launch sophisticated attacks across various operating systems.
ErrTraffic operates by injecting malicious JavaScript into legitimate but compromised WordPress websites. When users visit these sites, they encounter fake verification prompts that closely resemble trusted services like Google reCAPTCHA or Cloudflare Turnstile. These prompts instruct users to perform specific actions, such as pressing keyboard shortcuts, which surreptitiously execute harmful PowerShell commands preloaded into their clipboard by the malicious script.
Security researchers have identified that ErrTraffic leverages the ClickFix social engineering technique and employs EtherHiding to conceal its command-and-control (C2) infrastructure within Polygon blockchain smart contracts. This approach complicates detection and mitigation efforts, as attackers can frequently rotate their infrastructure without redeploying code.
The tool is marketed by a threat actor known as LenAI on cybercrime forums and Telegram channels. Its pricing has escalated throughout 2026, with monthly subscriptions increasing from $300 to $380 and the source code price rising from $1,500 in January to $4,500, inclusive of lifetime updates. This pricing reflects the tool’s effectiveness and growing reputation within underground communities.
Analysts have observed two distinct ErrTraffic clusters, dubbed “Analytics” and “Beer,” each operating separate infrastructures and distributing various malware families, including Vidar, Stealc, Remus, Salat, SmokeLoader, and multiple remote access tools. Some compromised WordPress sites were found to be infected by both clusters simultaneously, indicating competition and operational overlap among threat actors utilizing this framework.
The infection process initiates when a user loads a compromised WordPress page containing a concealed JavaScript payload. This script, encoded using Base64 and XOR techniques, queries the Polygon blockchain to retrieve the current C2 server address. This dynamic infrastructure allows attackers to change servers daily without modifying the numerous infected websites hosting their injected code.
Upon resolving the C2 address, the script loads the ClickFix lure through specific API endpoints, depending on the active cluster. The lure presents a convincing CAPTCHA or Cloudflare Turnstile screen, instructing the visitor to verify themselves using a keyboard shortcut. Executing this command triggers a PowerShell script that downloads and installs malware onto the victim’s system.
The rise of ErrTraffic underscores the evolving sophistication of social engineering attacks and the increasing accessibility of MaaS platforms. Users must exercise caution when encountering unexpected verification prompts, especially on unfamiliar websites. Organizations should enhance their security measures to detect and prevent such deceptive tactics, including regular monitoring of web traffic and educating users about emerging threats.
