Sekoia TDR analyzed ErrTraffic, a MaaS ClickFix framework that abuses compromised WordPress sites and fake AI-themed websites to distribute payloads through EtherHiding and blockchain-based C2 resolution. The report separates “Analytics” and “Beer” clusters, links them to different operators and campaigns, and highlights payloads such as Vidar, Stealc, Remus, Salat, DanaBot, HijackLoader, and SmokeLoader. #ErrTraffic #ClickFix #EtherHiding #WordPress #Vidar #DanaBot #HijackLoader #SmokeLoader
Keypoints
- ErrTraffic is a malicious JavaScript framework sold as MaaS and used to deliver ClickFix lures from compromised WordPress sites and deceptive AI-themed websites.
- The framework uses EtherHiding/DDR on Polygon blockchain smart contracts to resolve C2 infrastructure and rotate hosting without redeploying code.
- Sekoia identified two major clusters, “Analytics” and “Beer,” with different endpoints, obfuscation levels, C2 behavior, and payload delivery patterns.
- The “Analytics” cluster was tied to a single campaign that repeatedly used one PHP backdoor and mainly distributed Vidar infostealer.
- The “Beer” cluster appeared to be used by multiple affiliates, each apparently operating distinct smart contracts and distributing different payloads and malware families.
- Forensic analysis of WordPress compromises showed credential-based initial access, theme editing for backdoor deployment, and long-term persistence through MU-plugins, webshells, and hidden PHP files.
- Observed campaigns included the “bintang” WordPress compromise and impersonated AI platform lures such as Google Antigravity and ChatGPT, delivering DanaBot and HijackLoader.
MITRE Techniques
- [T1059.001 ] PowerShell – Used to download, decrypt, and execute the final payload from the ClickFix lure (‘PowerShell command lines for downloading the malicious payload’ / ‘The PowerShell command contains a XORed string which is decrypted and executed’).
- [T1059.003 ] Windows Command Shell – The framework’s ClickFix flow delivers commands that are copied and executed by the victim, including command-line payload execution via staged instructions (‘the command copied to the clipboard’ / ‘download and execute the binary’).
- [T1027 ] Obfuscated Files or Information – ErrTraffic scripts and payloads use Base64, XOR, JavaScript obfuscation, RC4, and encoding to hinder analysis (‘Base64-encoded and XOR-obfuscated’ / ‘RC4 encryption’).
- [T1105 ] Ingress Tool Transfer – Payloads are fetched from remote infrastructure through API calls and downloaded by PowerShell (‘retrieves the ClickFix lure’ / ‘downloading and executing the binary’).
- [T1218.011 ] System Binary Proxy Execution: Rundll32 – The report describes downloaded binaries and loaders executed through staged payload chains, though specific rundll32 use is not explicit in the text; included only if implied by loader-style execution (‘the final payload delivered was identified as HijackLoader’).
- [T1053.005 ] Scheduled Task/Job: Scheduled Task – Persistence is maintained through hourly restoration and multiple layers of auto-redeployment-like mechanisms (‘restored hourly’ / ‘Persistence is maintained through seven distinct layers’).
- [T1566 ] Phishing – ClickFix lures are social-engineering pages that trick users into executing commands (‘display the ClickFix lure to visitors’ / ‘Blue Screen of Death (BSOD) ClickFix lure’).
- [T1071.001 ] Web Protocols – The backdoor and framework communicate with C2 and APIs over HTTP(S), including specific endpoints like /api/index.php and /cf.js (‘API requests to /api/index.php’ / ‘fetch the script embedding the ClickFix lure’).
- [T1497.001 ] Virtualization/Sandbox Evasion: System Checks – The implant checks security-tool User-Agents and suspends malicious behavior during scans (‘If detected, it suspends all malicious blocks’ / ‘known security tools’).
- [T1078 ] Valid Accounts – WordPress access was obtained using harvested administrator credentials (‘the attacker gained access using valid administrator credentials’).
- [T1505.003 ] Server Software Component: WordPress Plugin – Attackers inserted malicious MU-plugins and theme-file droppers to persist on the site (‘wrote the MU-Plugin to wp-content/mu-plugins/session-manager.php’ / ‘inserting a dropper into the active theme’s functions.php’).
Indicators of Compromise
- [IP addresses ] Residential proxies and attacker access to WordPress admin areas – 96.178.187[.]175, 96.181.156[.]219
- [IP addresses ] Later backdoor deployment and continued access – 172.59.242[.]93, 68.60.174[.]238
- [Domains ] ErrTraffic-related C2 and lure infrastructure – webanalytics-cdn[.]sbs, antigravity[.]study
- [Domains ] Impersonation and lure domains for AI-themed campaigns – chatgpt-web[.]vip, defi-xstocks[.]vip
- [Domains ] ClickFix delivery endpoints and framework paths – llc-image-ico[.]click, and other domains using .beer / .cfd / .club / .cyou / .lat / .sbs / .shop / .xyz TLDs
- [Wallet addresses ] Polygon smart contracts used for DDR and C2 resolution – 0x08207B087F61d7e95E441E15fd6d40BEfd6eD308, 0xb36482fE794B895695914779Db3909b471D1aA43
- [Wallet addresses ] Additional smart contracts tied to specific lure campaigns – 0x5b7F9C87773fFc7FAbEFcBeDFe3527BCE98C328, 0x53ffB04Ef13Bc4Cb12CE8Ac7b9532C254338dC3e
- [File names ] Backdoor and loader artifacts deployed on WordPress – session-manager.php, file-updater-[a-zA-Z0-9]{8}.php
- [File paths ] Persistence and injection locations on compromised sites – wp-content/mu-plugins/session-manager.php, functions.php, /api/index.php, /cf.js, /api/css.js
- [User-Agent strings ] Attacker tooling and repeated access pattern – Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36, Chrome 144
- [Registry / registration data ] Newly registered lure domains – 15 May 2026 via Global Domain Group, 22 May 2026 via Dynadot
- [Strings / markers ] Detection-relevant command and code markers – , /* __mu_deployer__ */