A sophisticated cybercrime tool known as ErrTraffic is gaining notoriety for its ability to deceive internet users into executing harmful PowerShell commands. This Malware-as-a-Service (MaaS) framework disguises its malicious activities as legitimate security verification processes, tricking victims into unknowingly compromising their own systems.
How ErrTraffic Operates
ErrTraffic emerged in late 2025 and has since developed into a rental tool for cybercriminals, enabling widespread attacks. The framework infiltrates legitimate WordPress sites, injecting malicious JavaScript that presents users with a seemingly genuine verification screen. Mimicking services like Google reCAPTCHA, it prompts users to perform actions that execute hidden commands.
The threat is further exacerbated by its use of ClickFix social engineering tactics and the EtherHiding technique, which hides its infrastructure within Polygon blockchain smart contracts. This approach complicates detection and allows attackers to change infrastructure without needing to redeploy their code.
Economic Implications and Threat Landscape
ErrTraffic is marketed by a threat actor named LenAI, with prices reflecting its effectiveness and notoriety. Subscription costs have escalated, indicating the tool’s growing demand and reputation among cybercriminal communities. This has led to the formation of distinct threat clusters, each deploying various malware types.
Security analysts have identified two main clusters, ‘Analytics’ and ‘Beer’, which use separate infrastructures and deliver diverse malware including Vidar and SmokeLoader. The overlapping use of compromised sites by these clusters hints at competition among threat actors.
Technical Details and Mitigation Strategies
The infection chain begins with a compromised site loading a hidden JavaScript payload, which locates the active command-and-control server via the blockchain. Upon retrieval, it displays a fake verification screen that masks the execution of a PowerShell script, leading to further malware download and execution.
ErrTraffic’s reach is extended by malicious campaigns posing as legitimate AI platforms, further spreading through malvertising. Security researchers recommend monitoring PowerShell execution, auditing WordPress directories, and employing logging strategies to mitigate this threat.
Indicators of Compromise
Security experts have identified multiple indicators of compromise (IoCs) related to ErrTraffic, including specific IP addresses, domains, and file names associated with its operations. These IoCs are crucial for organizations to recognize and defend against potential breaches.
For detailed monitoring, defenders should focus on blockchain RPC connections followed by PowerShell actions and conduct regular audits of WordPress installations to ensure security against such advanced threats.
