name: ErrTraffic ClickFix C2 API Endpoint Pattern Analytic
signatureid: PXY-WEB10-RUN
category: 'Command and Control'
threatname: 'Application Layer Protocol: Web Protocols'
functionality: 'Web Proxy'
description: |
Detects outbound HTTP requests matching the distinctive C2 API endpoint patterns used by the
two identified ErrTraffic ClickFix framework clusters ("Analytics" and "Beer"), as documented
by Sekoia TDR. The "Analytics" cluster fetches its ClickFix lure script from a /cf.js endpoint
after resolving its C2 via a single stable Polygon smart contract. The "Beer" cluster instead
queries /api/index.php with a distinctive parameter set (a=ctx, os=, src=cloudflare, mode=
download) to retrieve an RC4-encrypted PowerShell command, or loads its injector via
/api/css.js. These endpoint and parameter patterns are independent of the current C2 domain,
which both clusters rotate frequently via EtherHiding, making this a more durable signature
than domain-based blocking alone.
reference:
- https://blog.sekoia.io/unveiling-errtraffic-inside-a-growing-clickfix-malware-distribution-framework/
- https://www.levelblue.com/blogs/spiderlabs-blog/err-hiding-and-seek-how-errtraffic-v3-leverages-etherhiding-in-clickfix-campaign
- https://censys.com/blog/errtraffic-inside-glitchfix-attack-panel/
labels:
- attack.command_and_control
- attack.t1071.001
- attack.t1102.002
- ErrTraffic
- ClickFix
- EtherHiding
- LenAI
- GlitchFix
logsource:
product: Web Proxy
category: proxy
detection:
selection_analytics_cluster:
Method: GET
CsUriPath|contains: '/cf.js'
selection_beer_cluster_lure:
Method: GET
CsUriPath|contains: '/api/css.js'
selection_beer_cluster_ctx:
Method: GET
CsUriPath|contains: '/api/index.php'
CsUriPath|contains|all:
- 'a=ctx'
- 'mode=download'
selection_beer_cluster_params:
CsUriPath|contains|all:
- 'src=cloudflare'
- 'rid='
condition: selection_analytics_cluster or selection_beer_cluster_lure or selection_beer_cluster_ctx or selection_beer_cluster_params
criticality: High
saveasthreat: false
violation_summary:
grouping_attribute: 'accountname'
level2_attribute: 'devicehostname'
level2_metadata_attributes:TECHNICAL DETAILS
ErrTraffic cluster-specific endpoint fingerprints documented by Sekoia TDR:
"Analytics" cluster:
- Initial injection script is Base64-encoded and XOR-obfuscated, uses EtherHiding
(single Polygon smart contract 0x08207B087F61d7e95E441E15fd6d40BEfd6eD308) to
resolve the current C2 domain.
- Fetches the ClickFix lure script from: GET /cf.js
- Communications with C2 are NOT further obfuscated (unlike Beer cluster).
- Exclusively distributes Vidar infostealer as of April/May 2026.
"Beer" cluster:
- Uses multiple Polygon smart contracts via Quicknode RPC; each contract is believed
to map to a distinct affiliate/operator and a distinct payload family.
- Older injection method (pre-EtherHiding, now deprecated) used:
<link rel="dns-prefetch" href="//[domain]">
<script src="https://[domain]/api/css.js?b=[id]&r=[id]">
- Current method: obfuscated JS (Base64 + XOR + text-encoding) queries the blockchain,
communicates with C2 using RC4 encryption, and retrieves the ClickFix lure via
/api/index.php with this URL pattern:
https://[C2-DOMAIN]/api/index.php?a=ctx&os=windows&src=cloudflare&cb=[BROWSER]
&ref=[REFERRER]&mode=download&rid=[RAY_ID]
- The API response is a JSON object containing an RC4-encrypted PowerShell command,
keyed to the injection script.
- Distributes Vidar, Stealc, Remus, Salat, undocumented infostealers, RATs, and loaders
(e.g. SmokeLoader) depending on which smart contract/affiliate served the lure.
- Also observed serving non-WordPress lure sites impersonating AI platforms (Google
Antigravity, ChatGPT) via the same /api/index.php and css.js endpoint patterns,
delivering DanaBot and HijackLoader respectively.
Both clusters' endpoint patterns (path + parameter names) remain stable across C2 domain
rotations, since EtherHiding is used specifically to let the operator change the domain
without redeploying the injected JavaScript or panel code. This makes path/parameter-based
detection materially more durable than domain or IP blocklisting for this threat.
Tuning guidance:
- /cf.js and /api/css.js are short, generic-looking filenames; false positive risk
exists if legitimate sites happen to use these exact paths for unrelated JS/CSS
bundling. Validate hits against destination domain reputation/age before escalating
on these two selectors alone.
- selection_beer_cluster_ctx and selection_beer_cluster_params are the highest-confidence
selectors due to the specific parameter combination (a=ctx + mode=download, or
src=cloudflare + rid=) which has no known legitimate use case.
- If proxy logging does not separately expose query string parameters from CsUriPath,
confirm your log source concatenates the full request URI (path + query string) into
this field before deploying - otherwise selection_beer_cluster_ctx and
selection_beer_cluster_params will not fire.
False positives:
- selection_analytics_cluster / selection_beer_cluster_lure: low-moderate, dependent on
coincidental path naming on unrelated sites.
- selection_beer_cluster_ctx / selection_beer_cluster_params: expected to be very low;
the parameter combination is specific to ErrTraffic's "Beer" cluster API contract.
Policy building walkthrough can be found in this previous post: