ErrTraffic MaaS Uses Fake reCAPTCHA and Cloudflare Turnstile Lures to Execute PowerShell Commands

A new and rapidly growing cybercrime tool called ErrTraffic is making waves across the threat landscape, targeting internet users through cleverly disguised verification screens.

The framework tricks victims into running malicious PowerShell commands on their own machines, all while believing they are simply completing a routine security check.

It first appeared in late 2025 and has since grown into a full Malware-as-a-Service operation that allows cybercriminals to rent the tool and deploy their own attacks against a wide range of targets.

ErrTraffic works by injecting a harmful JavaScript snippet into legitimate but compromised WordPress websites.

When an unsuspecting visitor lands on one of these pages, they are shown a fake verification screen that closely mimics trusted services like Google reCAPTCHA or Cloudflare Turnstile.

The victim is prompted to press a keyboard shortcut, which secretly executes a PowerShell command that has already been quietly loaded into their clipboard by the malicious background script.

Analysts at Sekoia said in a report shared with Cyber Security News (CSN) that ErrTraffic is built on the ClickFix social engineering tactic and uses a technique called EtherHiding to conceal its command-and-control infrastructure inside Polygon blockchain smart contracts.

This design makes it significantly harder for security tools to detect and block malicious traffic, since the attacker infrastructure can be rotated without redeploying code.

The tool is sold by a threat actor operating under the handle LenAI on the cybercrime forum Exploit.IN and through Telegram.

Pricing climbed throughout 2026, with monthly subscriptions rising from $300 to $380 and source code prices jumping from $1,500 in January to $4,500 with lifetime updates included.

The steep pricing reflects both the framework’s effectiveness and its growing reputation within underground criminal communities.

Security researchers identified two distinct ErrTraffic clusters, named “Analytics” and “Beer,” each running separate infrastructure and delivering different malware families including Vidar, Stealc, Remus, Salat, SmokeLoader, and various remote access tools.

Some WordPress sites were found infected by both clusters simultaneously, pointing to competition and operational overlap between the multiple threat actors leveraging this framework.

ErrTraffic MaaS Uses Fake reCAPTCHA and Cloudflare Turnstile Lures

The infection chain begins the moment a visitor loads a compromised WordPress page. A hidden JavaScript payload, encoded using Base64 and XOR techniques, queries the Polygon blockchain to retrieve the active C2 server address.

This rotating infrastructure model allows attackers to swap servers daily without modifying the thousands of infected websites already hosting their injected code.

Once the C2 address is resolved, the script loads the ClickFix lure through API endpoints such as /cf.js or /api/css.js, depending on the active cluster.

The lure renders a convincing CAPTCHA or Cloudflare Turnstile screen that tells the visitor to verify themselves using a keyboard shortcut.

Running that command triggers a PowerShell script that downloads and executes the final payload, ranging from infostealers to loaders and remote access tools.

Attackers also impersonate legitimate AI platforms to extend ErrTraffic’s reach. Malicious websites posing as Google Antigravity and ChatGPT were used to deliver the same ClickFix lure, targeting users searching for AI software.

These campaigns are believed to be spread via malvertising, allowing them to reach victims entirely outside the compromised WordPress ecosystem.

Backdoor Deployment and Persistent Access

After gaining entry to a WordPress site through stolen administrator credentials, attackers deploy a PHP backdoor named session-manager.php inside the mu-plugins directory, where WordPress automatically loads it without any manual activation.

The implant harvests login credentials by intercepting authentication requests, skims WooCommerce order data in a server-side Magecart-style attack, and provides a webshell for remote code execution.

To avoid detection, the backdoor monitors incoming User-Agent strings for signatures belonging to tools like Wordfence and Nikto, then pauses all malicious behavior for thirty minutes when those tools are identified.

Defenders should enable PowerShell ScriptBlock logging to catch XOR-decoded commands tied to ErrTraffic, and monitor blockchain RPC connections followed immediately by PowerShell execution as high-confidence behavioral indicators.

Regularly auditing mu-plugins directories and rotating WordPress credentials remain strong baseline protective steps.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
IP Address	96.178.187[.]175	Attacker reconnaissance/initial access IP (North American residential ISP)
IP Address	96.181.156[.]219	Attacker reconnaissance/initial access IP (North American residential ISP)
IP Address	172.59.242[.]93	Attacker backdoor deployment IP
IP Address	68.60.174[.]238	Attacker backdoor deployment IP
Domain	webanalytics-cdn[.]sbs	C2 domain used to exfiltrate cookies via auto_prepend_file PHP script
Domain	llc-image-ico[.]click	“Beer” cluster C2 domain used to load ErrTraffic injection script via /api/css.js
Domain	antigravity[.]study	Fake Google Antigravity AI platform lure site delivering ClickFix/Danabot
Domain	chatgpt-web[.]vip	Fake ChatGPT lure site delivering ClickFix payload and SideJack loader
Blockchain Address	0x08207B087F61d7e95E441E15fd6d403	Polygon smart contract used by “Analytics” cluster for C2 resolution via EtherHiding DDR
File Name	session-manager.php	Malicious WordPress MU-Plugin backdoor with webshell, credential harvester, and skimmer
File Name	file-updater-[a-zA-Z0-9]{8}.php	PHP injector stub that hooks WordPress page rendering to load the ErrTraffic JS payload
File Name	css.js	ErrTraffic JavaScript injector containing XOR-encoded ClickFix lure delivery code
URL Pattern	hxxps://[ERRTRAFFIC-DOMAIN]/api/index.php?a=ctx&os=windows&src=cloudflare&cb=[BROWSER]&ref=[REFERRER]&mode=download&rid=[RAY_ID]	API call pattern used to retrieve RC4-encrypted PowerShell commands from C2

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.