ErrTraffic — ClickFix MaaS distribution framework with EtherHiding/Polygon C2 resolution; EU WordPress targeting

ClickFix — fake browser/update dialogues that trick users into pasting attacker PowerShell — is maturing into a productised delivery channel, as this and the next item show. Sekoia's TDR team analysed ErrTraffic, a ClickFix distribution framework sold as MaaS by an actor using the handle "LenAI" on the Exploit.IN forum since at least December 2025 (Sekoia TDR, 2026-06-16). Affiliates compromise WordPress sites by credential-stuffing wp-login.php (one victim saw seven residential IPs in an 80-second window) or via WP File Manager CVE-2020-25213, then deploy a PHP backdoor as a must-use plugin (session-manager.php) that injects the ErrTraffic JavaScript. The JavaScript uses the EtherHiding technique — querying Polygon smart contracts via public RPC endpoints — to resolve C2 domains dynamically, defeating takedowns; it then serves ClickFix lures that drop Vidar, Stealc, SmokeLoader and others. ErrTraffic explicitly targets European and APAC visitors, putting public-sector WordPress portals in scope.

Why it matters to us: A reliable hunt artefact is the distinctive PowerShell comment block <# Code Verification: NNNNNNNNNNNN #> Sekoia found at the start of ErrTraffic command strings. Also watch for new PHP files under wp-content/mu-plugins/ (auto-loaded, no activation needed), credential-stuffing bursts on wp-login.php, and outbound requests from the web-server process to blockchain RPC endpoints.