A fast-growing criminal service called ErrTraffic is quietly turning thousands of hacked WordPress sites into malware delivery points, using fake "fix this error" pop-ups and a blockchain trick that keeps its servers reachable even when defenders try to block them. Sekoia's Threat Detection and Research team, in a report by Jeremy Scion and Quentin Bourgue, mapped the framework, the operator selling it, and the affiliates using it.
ErrTraffic is built around "ClickFix," a social-engineering tactic that has spread fast over the past year. Instead of exploiting a software bug, a tampered web page shows the visitor a fake CAPTCHA, a phony Cloudflare check, or a bogus Windows error, then instructs them to copy and paste a command (usually PowerShell) to "fix" it. Running that command installs the malware. ErrTraffic injects JavaScript into compromised WordPress sites to display these lures, and acts as a traffic distribution system that filters victims by location and operating system, covering both Windows and macOS, before deciding what to serve. It rides the same trend behind recent campaigns such as malware pushed through hundreds of hacked Ghost CMS sites and the MLTBackdoor ransomware loader.
How it dodges takedowns
What sets ErrTraffic apart is a technique called EtherHiding. Rather than hard-coding the address of its command-and-control server, the injected script reads that address from a smart contract on the Polygon blockchain. That lets the operators swap infrastructure across thousands of infected sites without touching the code on any of them, and it defeats simple domain blocking because there is no fixed server address to put on a blocklist.
Sekoia traced the service to a seller using the handle LenAI, who has advertised ErrTraffic on the Exploit.IN cybercrime forum and Telegram since at least December 2025. Pricing has climbed as the service caught on: monthly subscriptions rose from 300 to 380 US dollars, while the source code doubled from 1,500 dollars in January to 3,000 in April, reaching 4,500 dollars when lifetime updates and support are included. Access is deliberately capped to a queue of vetted buyers, a common tactic to keep infection rates high and researchers at bay. Investigators tracked two operator clusters, nicknamed "Analytics" and "Beer," pushing infostealers including Vidar, Stealc, Remus, and Salat.
What you should do
The single most effective habit against ClickFix is simple: never copy and run a command that a web page tells you to paste, no matter how official the error looks. A legitimate site will never ask you to open PowerShell or a terminal to view a document or clear a CAPTCHA. WordPress owners should keep core and plugins patched, audit for unfamiliar plugins and injected scripts, and treat unexpected JavaScript as a red flag. Sekoia's original report includes detection guidance.
Indicators of compromise
Polygon wallet used to resolve C2 for the "Analytics" cluster: 0x08207B087F61d7e95E441E15fd6d40BEfd6eD308. Associated IP addresses: 96[.]178[.]187[.]175 and 96[.]181[.]156[.]219.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.