Err-Hiding and Seek: How ErrTraffic v3 Leverages EtherHiding in ClickFix Campaign

TLP: AMBER+STRICT

The LevelBlue SpiderLabs team examined the latest version of ErrTraffic, which emerged in early 2026. In a recently observed campaign, the team found that ErrTraffic primarily targets WordPress websites by deploying a PHP backdoor script in the must-use plugin (mu-plugin) that captures administrator credentials and ensures persistence on compromised sites. On the infected website, the backdoor injects malicious inline scripts that leverage both XOR and Base64 obfuscation to evade detection. ErrTraffic utilizes the Traffic Distribution System (TDS) to filter site visitors and redirect them to ClickFix lures.

ErrTraffic also interacts with blockchain-based infrastructure via smart contracts to fetch hidden payloads, which feed into subsequent stages of the attack through EtherHiding. The campaign delivers OS-specific payloads, either Windows or macOS. Operational security failures, such as a hardcoded key in the backdoor and API communication, further expose the attackers' infrastructure and techniques.

About ErrTraffic

ErrTraffic is a multi-platform (Windows, MacOS, Android, and Linux) TDS built specifically for ClickFix campaigns, which was advertised by a user called“LenAI ” on a cybercrime forum. The tool enables threat actors to distribute malware by leveraging compromised websites, malicious advertising traffic, and attacker-controlled infrastructure.

Figure 1. ErrTraffic V3 panel.

Since its initial launch, ErrTraffic’s price has increased for both rental plans and its full source code:

Pricing Plans

• 30 days: $380 (minimum rental period)
• 3 months: $1,000
• 6 months: $1,800

Source Code Options

• $3,000 – Full project source code (no free updates included).
• $4,500 – Full project source code with free updates and lifetime support.

ErrTraffic V3

First advertised in underground forums in January 2026, the ErrTraffic V3 is still actively being updated. Below are the key changes introduced in ErrTraffic V3:

Table 1. ErrTraffic V3 updates.

During retroactive hunting, we observed a new wave of the ClickFix campaign that aligns with recent iterations of ErrTraffic. The campaign leverages multiple delivery and social engineering mechanisms, including fake BSOD screens, reCAPTCHA prompts, and Cloudflare CAPTCHA challenge pages. All these ClickFix lures ultimately lead to OS-specific payload deployment.

Figure 2. Delivery mechanism for Windows

Figure 3. Delivery mechanism for MacOS

Technical Analysis

Stage 1: WordPress Backdoor

Upon web inspection, we found that the compromised sites typically contain two JavaScript code blocks embedded at the end of the section.

Figure 4. Malicious embedded inline JavaScript code found in the compromised site (end block).

The first JavaScript code block functions as a tracking beacon. The script targets multiple domains with inexpensive and commonly abused TLDs, a tactic often seen in malvertising campaigns and TDSs:

.sbs, .cyou, .cfd, .icu

Meanwhile, the second JavaScript code block focuses on ErrTraffic functionalities, which will be discussed in the next section. Further pivoting analysis revealed that these domains are communicating with suspicious backend scripts, specifically session-manager.php.

Figure 5. Communication with backend scripts.

The main loader decodes a Base64-encoded payload (session-manager.php) and writes it to the mu-plugin directory to ensure automatic execution on every request. This PHP file is a WordPress backdoor, deployed via a legitimate mu-plugin. The structure below contains the expected files and directories in a typical compromised WordPress website:

Table 2. Directory structure of WordPress backdoor.

The backdoor contains a wide range of functionalities, such as:

Table 3. WordPress backdoor functionalities.

Beaconing

Notably, the code Block 13 serves as a WordPress hook that injects a JavaScript-based analytics beacon on frontend page loads. The functionality is implemented through the template_redirect and wp_footer hooks and executes on all public pages of the site.

Figure 6. Beaconing activity.

During execution, the script gathers several attributes related to the incoming request and the visitor’s browsing environment. These values are then organized into the $_a_params array, which defines the set of parameters to be included in the outbound request:

Table 4. Parameters collected during beaconing.

The array is later serialized into a query string using http_build_query(), and the resulting parameters are appended to predefined external URLs before being transmitted by the injected JavaScript beacon. The pattern for the beacon URL is as follows:

 hXXps://<beacon domain>/i?d=<>&ip=<>&r=<>&m=pageview&u=<>&l=<>&dv=<>&br=<>&os=<>&f=<>&t=<> 

At page render time, the code injects a JavaScript snippet into the site footer. The script attempts to transmit the data to the external URLs using the navigator.sendBeacon()API.

Figure 7. First-stage JavaScript payload.

Commands

The threat actor can communicate to the compromised website by providing the secret key and specifying a mode of operation. The backdoor supports multiple modes:

Table 5. Debug session console commands.

Below is an example of an interaction with the WordPress backdoor.

Figure 8. Simulated interaction with the WordPress backdoor.

Stage 2: ErrTraffic

With ErrTraffic V3, threat actors can now generate inline scripts directly within compromised websites, replacing the traditional external payload delivery method that relied on loading the JavaScript file (Default: “api/css.js”):

Figure 9. ErrTraffic V3 control panel.

The second JavaScript code block is also embedded in the footer of the compromised website. This framework retrieves Base64-encoded data and uses an updated decoding routine that applies a static XOR key after the Base64 decoding process. The resulting bytes are then converted back into JavaScript using TextDecoder(). Eventually, this leads to the next stage, which is EtherHiding.

Figure 10. Second-stage JavaScript payload.

Stage 3: EtherHiding

One of the notable updates in ErrTraffic V3 is the adoption of EtherHiding. EtherHiding is a technique that leverages blockchain technology to host malicious code or configuration data through smart contract, which is used to deploy ClickFix-style lures. A smart contract is a program deployed on a blockchain that automatically executes predefined logic when certain conditions are met.

Instead of hosting payloads directly on a compromised website, this script queries a remote blockchain RPC endpoint and retrieves a malicious payload stored in the smart contract.

Figure 11. Retrieval of malicious payload from an RPC endpoint.

Going back to the decoded script, ErrTraffic initially calls the getUrlFromContract() function to retrieve the command-and-control (C2) panel domain from a blockchain smart contract. Instead of hardcoding the server address directly in the script, the malware queries multiple Polygon RPC endpoints defined in the CONTRACT_CONFIG.RPC_HOSTS array.

The eth_callis used to call a function within a smart contract, which executes a new message call immediately without creating a transaction on the block chain. In this case, the script uses the following wallet address:

0x08207B087F61d7e95E441E15fd6d40BEfd6eD308

Figure 12. Retrieval of an attacker-controlled URL.

This contract returns another ABI-wrapped, hex-encoded blob. After decoding the response, the returned value is an attacker‑controlled URL:

Figure 13. Latest decoded server retrieved from the Polygon RPC endpoint.

Note: The data parameter (0x38bcdc1c) is derived from the first four bytes of the Keccak ‑256 hash of the function signature, which uniquely identifies a function within the Ethereum Virtual Machine. In this case, the function signature translates to “getURL()”.

Figure 14. Encoding logic of the data parameter getURL().

ErrTraffic vs ClearFake

Within the ClickFix ecosystem, ClearFake is the primary user of the EtherHiding loader. Like ErrTraffic, ClearFake is a ClickFix-style JavaScript framework operated by threat actors. This framework can also embed inline scripts directly into compromised websites.

Figure 15. Embedded inline JavaScript of ClearFake.

The ClearFake framework embeds malicious JavaScript using a data URI containing Base64‑encoded code. Unlike ErrTraffic, it does not apply XOR or other additional decoding routines. Below is a sample configuration used in a ClearFake campaign:

Figure 16. ClearFake cConfiguration

While ErrTraffic uses a single smart contract call, ClearFake typically interacts with three separate smart contracts for its operations:

First Smart Contract

The script initially retrieves data from the “bsc-testnet.drpc[.]org” RPC endpoint using the following address:

0xA1decFB75C8C0CA28C10517ce56B710baf727d2e

The contract returns a hex‑encoded response, which is decoded into a Base64 string using atob() and then executed as JavaScript through eval(). This component prepares the next stages of the infection chain by retrieving additional code segments from the Binance Smart Chain (BSC) testnet, a network normally used by developers to test smart contracts before deployment.

Second Smart Contract

The decoded payload is a function that is largely identical to the first smart contract logic but uses the following RPC endpoint: “data-seed-prebsc-1-s1[.]bnbchain[.]org:8545”.

This stage performs several environment checks, such as inspecting for headless browser frameworks and evaluating the system’s user‑agent string. If automated browsing behavior is detected, the execution chain terminates. If successful, another function that directs the victim to an OS‑specific smart contract will be triggered. When executed, the script renders a ClearFake prompt tailored to the user’s operating system:

• Windows: 0x46790e2Ac7F3CA5a7D1bfCe312d11E91d23383Ff
• MacOS: 0x68DcE15C1002a2689E19D33A3aE509DD1fEb11A5
  
  

Third Smart Contract

Once redirected, the script assigns each system to a universally unique identifier (UUID). The script constructs another smart contract call and sends it via eth_call to the following contract:

0xf4a32588b50a59a82fbA148d436081A48d80832A

The smart contract sends an encoded IP address value in the data parameter. The IP address information is retrieved using the following URL: hxxps://ip-info.ff.avast[.]com/v2/info.

The function also checks whether the provided UUID already exists and returns either "yes" or "no". If the response is "yes", the script terminates and the ClearFake payload is not displayed, to avoid re-infecting victims.

Below is the comparison of smart contract calls that are used by Errtraffic and ClearFake during execution:

Table 6. Comparison of ErrTraffic and ClearFake.

Stage 4: ClickFix

In ClearFake, each OS‑specific smart contract returns an ABI‑wrapped, hex‑encoded blob that contains the next JavaScript stage. This design enables a single injection point to deliver different payloads based on the user’s platform.

Table 7. ClearFake artifact.

Figure 17. ClearFake ClickFix sample.

In contrast, ErrTraffic does not retrieve the next-stage payload via a smart contract transaction. Instead, the command copied from the ClickFix lure is generated directly by ErrTraffic on the compromised website.

Figure 18. ErrTraffic payload retrieval.

One of ErrTraffic’s key features is its support for multiple languages. This allows the ClickFix lure to dynamically adapt the displayed content based on the visitor’s browser language settings.

Figure 19. Code snippet showing the multilingual internationalization (i18n) configuration.

The retrieved payload contains an obfuscated PowerShell payload that is automatically encrypted using unique XOR keys, similar to the inline scripts observed on compromised websites. This PowerShell Script will be attached to the user’s clipboard once the ClickFix lure is loaded.

Figure 20. ErrTraffic ClickFix sample.

Table 8. Encoded ErrTraffic artifact

Below is the decoded version of the PowerShell command:

Figure 21. Decoded ErrTraffic ClickFix.

After being triggered, the script forces the use of TLS 1.2, creates a randomly named directory and executable file in the system’s temporary folder, and attempts multiple times to retrieve the payload from the attacker-controlled endpoint.

Table 9. Decoded ErrTraffic artifact.

Stage 5: Backend API Communication

ErrTraffic relies on an API endpoint to fetch payloads and deliver them as part of the ClickFix campaign.

Figure 22. ErrTraffic configuration.

Table 10. Sample configuration object accepted by ErrTraffic.

Action

First, the loader retrieves the latest configuration from the attacker-controlled server by calling refreshConfigFromApi(). It then executes the updateUrls() function, which initializes all runtime API endpoints using the domain obtained from the blockchain smart contract (EtherHiding).

Figure 23. Function that generates data for API communication.

The script communicates with the server API by specifying an action type in the “a” parameter, which controls what the API should do. Examples include:

• evt: Logs user events such as page views.
• init: Performs session (logUrl) or API initialization (TokenUrl). Note: The value of “token” is retrieved during this session.
• cfg: Fetches the latest configuration.
• dl: Fetches the latest payload.

Once the base URL is determined, the function generates a configuration request URL using buildApiUrl({a:'cfg'}). This encrypted request is sent to the backend server, which returns a configuration object controlling the malware’s behavior.

The response is then processed by the decryptApiEnvelope() function to handle encrypted responses. The function checks whether the response object contains an encrypted payload stored in the field “q”. Depending on the server response, two encryption schemes may be used:

• gcm1 mode (modern) – AES-GCM encryption with a derived key.
• q2 mode (legacy) – RC4 encryption using the base key and nonce.

If decryption succeeds, the parsed JSON object is returned. Otherwise, the original response object is returned unchanged.

Mode

In the ErrTraffic loader, the “mode” variable is one of the central pieces controlling the malware’s runtime behavior. At its core, mode determines which payload is loaded, how the malware interacts with the victim’s environment, and what operations are logged back to the server

When the loader first initializes, it sets the mode to "cloudflare". After initialization, the loader calls refreshConfigFromApi() to fetch the latest configuration from the attacker-controlled server. During this process, the mode can be updated.

Figure 24. List of ClickFix theme modes.

The selected mode corresponds directly to specific script files through the MODE_FILE_MAP, which defines the behavior executed by the malware. During our investigation, we were able to capture and save local instances of several ClickFix modes.

The following is the list of available ClickFix modes:

Figure 25. ClickFix browser mode.

Figure 26. ClickFix font mode.

Figure 27. ClickFix reCAPTCHA mode.

Figure 28. ClickFix BSOD mode.

Figure 29. ClickFix Cloudflare mode.

Figure 30. ClickFix content display fix (cf_update) mode.

Operational Security (OpSec) Failure

Despite the effort to encrypt communications and hide infrastructure behind blockchain-based domain resolution, the implementation contains a notable operational security weakness. Every API request includes a token parameter, which corresponds to a hardcoded hexadecimal cryptographic key stored in the API_Q2_KEY_HEXvariable.

This key is used as the base secret for encrypting outgoing API requests and decrypting server responses. Since the key is embedded in the script, it can be extracted through static analysis, allowing the encrypted communication to be reproduced and decrypted.

Figure 31. Decoded configuration from different C2 API server response.

The threat actor is also utilizing a hardcoded authentication key across multiple instances of the backdoor console. Even though the backdoor uses advanced cryptographic checks (HMAC), the reuse of the same secret key across sites represents a critical OpSec failure that allows defenders and researchers to systematically identify the backdoor across multiple compromised installations.

Figure 32. Hardcoded authentication keys within the backdoor.

Since the file paths used by the backdoor are hardcoded, we can easily track other compromised websites as well: 

Figure 33. List of possibly compromised websites.

Infrastructure Analysis

Analyzing threat actor infrastructure is a useful technique to uncover additional indicators that could be used to proactively monitor an evasive adversary.

Figure 34. ErrTraffic infrastructure.

Historically, the ErrTraffic infrastructure is concentrated among a few hosting providers and ASNs:

• Omegatech LTD (AS202412): Most domains (~66) are centralized here, covering many TLDs, including “.click”, “.beer”, “.sbs” and “.shop”. This is a bulletproof hosting cluster and is already included in the DROP list of Spamhaus Blocklist (SBL). Domain naming within this cluster heavily impersonates CDN infrastructure, web asset delivery services, and front-end libraries, including references to fonts, APIs, JavaScript frameworks, image hosting, and cloud services. The domains here is registered to “Dynadot LLC”, and the associated IP addresses share a unique SSH fingerprint:

ssh: 75:04:56:1b:27:35:f3:37:60:2e:9f:12:0b:c6:c9:e0

• Cloudflare, Inc. (AS13335): The domains (~20) here leverage the Cloudflare infrastructure, primarily through “.workers.dev”. These domains typically appear as portal-style websites, service platforms, or security verification systems
• BL Networks (AS399629): A smaller cluster (~12 domains) is associated with this ASN. Many of the domains use the “.shop” TLD and are registered through “Web Commerce Communications Ltd.”, while associated “.com” domains are typically registered through “NameCheap, Inc.”.
• Play2go International Limited (AS215439 ): Another smaller cluster (~11 domains) is hosted within this ASN, primarily using the “.cfd” TLD. These domains are registered through “NICENIC International Group Co., Limited.”.

Figure 35. ErrTraffic ASN distribution.

Since March 11, 2026, the Polygon address 0x08207b087f61d7e95e441e15fd6d40befd6ed308 has created over 15 smart contracts that host domains that are used in the latest ErrTraffic campaigns. These latest IOCs are registered through “Global Domain Group LLC”, which is still affiliated with Dynadot LLC. The domains exhibit consistent traits with earlier ErrTraffic and WordPress beaconing infrastructure, including API endpoint and uncommon top-level domains (TLDs). 

Figure 36. Who is record of recent ErrTraffic and Beacong domain.

Unlike previous campaigns that relied heavily on Omegatech-hosted domains, the latest IOCs resolve to Cloudflare (AS13335). This shift provides threat actors with the ability to serve domains through Cloudflare’s CDN and Workers infrastructure, which helps them evade detection and make it more difficult for defenders to track their latest campaign.

Pivoting on these infrastructure similarities using Urlscan.io, we found additional domains and potentially compromised websites that are linked to this campaign:

Figure 37. Pivoting using URLScan.io.

Outlook

The emergence of ErrTraffic V3 is a game changer for threat actors. As this tool continues to evolve with more features and delivery techniques, the effectiveness and utilization of ClickFix will continue to rise. Recent trends show that threat actors rely more on leveraging decentralized technologies to manage their operations, such as obtaining configuration data and C2 infrastructure. As a result, the abuse of blockchain-based technologies, such as EtherHiding, is likely to remain an important component of the ClickFix ecosystem and other cyber threats.

Although the current campaign heavily targets WordPress websites, future campaigns may extend beyond this platform. Attackers may attempt to compromise other content management systems (CMS) or vulnerable web applications to increase the scale of their operations.

Social engineering techniques will remain a central element of ClickFix campaigns. Currently, the ErrTraffic supports multiple ClickFix delivery modes that mimic legitimate security prompts, including Cloudflare verification pages, reCAPTCHA challenges, browser update messages, and fake system errors such as SOD. These modes are designed to resemble familiar security checks and system notifications. The use of multilingual content and environment-aware targeting further strengthens these lures by adapting the message based on the visitor’s browser language, operating system, and environment, making the prompts appear more legitimate to victims.

Despite the use of advanced obfuscation and decentralized infrastructure, operational security weaknesses continue to provide valuable opportunities for defenders. Hardcoded authentication keys and reusable configuration elements can allow security researchers to identify related infrastructures, track additional compromised websites, and monitor the development of malicious campaigns.

Indicators of Compromise

ErrTraffic:

WordPress Backdoor

ClearFake