The Rise of ErrTraffic and ClickFix Phishing Panels | Femto Security Threat Intelligence

Key Takeaways

The ErrTraffic panel automates ClickFix social engineering, tricking users into manually executing malicious PowerShell scripts via clipboard hijacking.
Initial access relies heavily on compromising content management systems like WordPress and Ghost CMS using known critical vulnerabilities.
The platform utilizes the EtherHiding technique, querying Polygon blockchain smart contracts to resolve command and control servers dynamically.

Original source screenshot for The Rise of ErrTraffic and ClickFix Phishing Panels — Original source screenshot - forum.exploit.in

Adversary Profile: LenAI

LenAI

aka ErrTraffic Operator, ErrTraffic Developer

Origin: Russian-language cybercrime underground
Motivation: Financial (MaaS subscriptions & source code sales)
TTPs: ClickFix social engineering templatesEtherHiding dynamic C2 resolutionWordPress and Ghost CMS exploitationClipboard hijacking

ErrTraffic Attack Chain Process

1Server Compromisecritical
Exploitation of CVE-2020-25213 (WP File Manager) or CVE-2026-26980 (Ghost CMS) to inject session-manager.php backdoor.
critical
2Target Profilinglow
JavaScript uses geolocation APIs (ipwho.is) to profile users, filtering out CIS targets.
low
3DOM Manipulation & Luremedium
Page text changes to Zalgo characters and displays fake error overlay asking to 'Fix Glitch'.
medium
4Clipboard Hijackhigh
User click on modal button force-writes highly obfuscated PowerShell commands to the clipboard.
high
5User-Assisted Executioncritical
User is socially engineered to open Windows Run dialog (Win+R) and paste (Ctrl+V) the shellcode.
critical
6EtherHiding C2 & Payloadscritical
PowerShell script queries Polygon blockchain (0x08207B...) to decode C2 address, loading infostealers.
critical

MITRE ATT&CK Mapping

Initial Access

T1190

Exploit Public-Facing Application

T1566.002

Spearphishing Link

Execution

T1204.004

User Execution: Malicious Copy and Paste

T1059.001

Command and Scripting Interpreter: PowerShell

Persistence

T1505.003

Server Software Component: Web Shell

Command and Control

T1102.001

Web Service: Dead Drop Resolver

T1071.001

Application Layer Protocol: Web Protocols

EDR PowerShell Rule Pattern

errtraffic_powershell.ymlyaml

1detection:
2  selection_parent:
3    ParentProcessName|endswith:
4      - '\\explorer.exe'
5      - '\\cmd.exe'
6  selection_process:
7    Image|endswith: '\\powershell.exe'
8  selection_cmdline:
9    CommandLine|contains:
10      - '.reverse()'
11      - 'replace'
12      - 'gzip'
13  condition: selection_parent and selection_process and selection_cmdline

Technical Indicators of Compromise

cve
CVE-2020-25213
WP File Manager Remote Code Execution (CVSS 9.8)
cve
CVE-2020-25213
WP File Manager Remote Code Execution (CVSS 9.8)
cve
CVE-2026-26980
Ghost CMS Unauthenticated SQL Injection (CVSS 9.8)
cve
CVE-2026-26980
Ghost CMS Unauthenticated SQL Injection (CVSS 9.8)
domain
webanalytics-cdn.sbs
C2 cookie exfiltration domain
domain
webanalytics-cdn.sbs
C2 cookie exfiltration domain
domain
llc-image-ico.click
Script injection hosting node
domain
llc-image-ico.click
Script injection hosting node
domain
antigravity.study
Danabot delivery masquerade site
domain
antigravity.study
Danabot delivery masquerade site
domain
chatgpt-web.vip
ChatGPT phishing lure theme page
domain
chatgpt-web.vip
ChatGPT phishing lure theme page
ip
172.59.242.93
Threat actor backdoor injection source IP
ip
172.59.242.93
Threat actor backdoor injection source IP
ip
68.60.174.238
Threat actor backdoor injection source IP
ip
68.60.174.238
Threat actor backdoor injection source IP
hash
0x08207B087F61d7e95E441E15fd6d403
Polygon blockchain smart contract (EtherHiding resolver)
hash
0x08207B087F61d7e95E441E15fd6d403
Polygon blockchain smart contract (EtherHiding resolver)

How to Defend Against Similar Threats

Deploy file integrity monitoring across web servers to detect unauthorized modifications to content management directories.
Implement endpoint detection rules to flag anomalous PowerShell processes spawned by explorer.exe or cmd.exe.
Educate enterprise users regarding the risk of paste-and-run prompts and never executing terminal commands written to their clipboard.

Threat Intel FAQ

What is the ClickFix technique used by the ErrTraffic panel?

The ClickFix technique is a user-assisted social engineering method. Instead of relying on direct browser exploits, the attack script modifies the target website's layout to mimic a font error or verification check. It then writes an obfuscated PowerShell script to the victim's clipboard and instructs them to open the Run dialog box using the keyboard shortcut Windows Key + R, paste the code using Ctrl + V, and press Enter. This process completely bypasses traditional browser sandboxing and web application security layers.

How does the ErrTraffic panel maintain resilient command and control servers?

The ErrTraffic panel leverages a method known as EtherHiding. The executed PowerShell script queries decentralized public Polygon blockchain smart contracts, which serve as Dead Drop Resolvers (DDR). The script extracts and decodes the transaction data to obtain the current IP address of the active C2 server. This approach prevents traditional security controls from shutting down the campaign through standard domain name service (DNS) takedowns or IP blacklisting.

Could a similar threat affect your organization?

If your team may be exposed to a similar threat, FemtoSec can help validate blast radius, prioritize remediation, and connect the issue to a practical security program.