Phase 1: Initial Access and Infrastructure Compromise
Before launching a campaign, affiliates must establish a network of compromised web servers to host the redirection scripts and landing pages. Attackers systematically target popular Content Management Systems (CMS), specifically WordPress and Ghost CMS, employing a mix of automated credential stuffing and known software vulnerabilities:
Vulnerability Exploitation: Attackers actively exploit CVE-2020-25213, a critical remote code execution flaw in the WordPress File Manager plugin, to drop backdoor shells onto target hosts. They also target CVE-2026-26980, an unauthenticated SQL injection vulnerability in Ghost CMS, allowing them to extract administrative database secrets and API keys directly.
Backdoor Injection: Once administrative access is achieved, a Base64-encoded loader is injected into the active theme's functions.php file. This script dynamically drops a persistent must-use PHP plugin (commonly named session-manager.php) into the /wp-content/mu-plugins/ directory. This plugin operates silently as a web shell, WooCommerce data skimmer, and dynamic script injector.
Phase 2: Victim Profiling and Visual Distortion
When an unsuspecting visitor accesses a compromised page, the injected ErrTraffic JavaScript initiates a silent profiling sequence. The script queries public geolocation APIs, such as ipwho.is, to identify the visitor's origin. To evade local law enforcement and focus on high-value targets, the panel explicitly filters out visitors originating from Commonwealth of Independent States (CIS) countries.
If the profiling criteria are met, the script dynamically alters the webpage's Document Object Model (DOM). It applies custom CSS distortions and translates standard web fonts into scrambled Zalgo characters. This visual disruption creates the convincing illusion that the user's browser or operating system has encountered a critical font rendering error or security exception. A modal pop-up then appears, prompting the user to complete a verification step to fix the rendering issue.
Phase 3: Clipboard Hijacking and Paste-and-Run Social Engineering
The core innovation of the ClickFix technique lies in its exploitation of user behavior rather than software flaws. When the victim clicks the Fix or Verify button within the modal interface, the underlying JavaScript immediately executes a clipboard hijack. It writes a highly obfuscated PowerShell command sequence directly to the victim's local system clipboard, bypassing standard browser security boundaries that restrict direct file writes to disk.
The modal interface then displays step-by-step instructions guiding the victim to execute the pasted code manually. This sequence relies entirely on user-assisted execution (MITRE ATT&CK T1204.004):
The user is instructed to press the Windows Key + R shortcut to open the native Windows Run dialog box.
The user is prompted to press Ctrl + V to paste the contents of the hijacked clipboard into the dialog box.
The user presses Enter, executing the highly obfuscated command string directly via the local shell interpreter.
Phase 4: Dead Drop Resolvers and Infostealer Execution
Upon execution, the PowerShell command initiates the final phase of the attack. In modern ErrTraffic v3 and v4 panels, the command utilizes a technique known as EtherHiding. Instead of querying a static command and control (C2) server, the PowerShell script sends a query to public Polygon blockchain smart contracts (such as 0x08207B087F61d7e95E441E15fd6d403) acting as Dead Drop Resolvers (DDR). The script decodes the transaction data to retrieve the active C2 IP address, creating highly resilient infrastructure that cannot be easily taken down.
Once the C2 is resolved, the PowerShell process downloads and executes the primary malware payloads in-memory. The typical payloads distributed by ErrTraffic affiliates include leading information stealers such as Vidar, Stealc, Lumma Stealer, and Danabot, alongside Remote Access Trojans like SmartRAT. These utilities rapidly harvest stored browser credentials, session tokens, and financial data, transmitting them back to the attacker's administrative dashboard.