31.12.2025
2 min
442
Cybersecurity researchers are warning about a new cybercrime service called ErrTraffic, which automates ClickFix attacks by displaying fake browser and website glitches. The tool relies on social engineering to trick users into executing malicious actions that ultimately lead to malware infections.
ErrTraffic operates as a self-hosted traffic distribution system (TDS) that attackers inject into compromised or controlled websites using a single HTML line. Once deployed, the platform fingerprints visitors based on geolocation and operating system and selectively modifies the page’s DOM when targeting conditions are met.
Victims are shown deliberately crafted “errors,” such as corrupted text, replaced fonts, fake Chrome updates, or missing system font warnings. These visual glitches create the illusion of a broken website and immediately offer a “fix,” prompting users to install updates, download files, or paste commands into a terminal.
If the victim follows the instructions, JavaScript code copies a PowerShell command to the clipboard. Executing it triggers the download of a malicious payload tailored to the victim’s operating system.
ErrTraffic was first advertised on Russian-speaking hacking forums and is sold for a one-time fee of approximately $800. According to researchers at Hudson Rock, the service claims conversion rates of up to 60% and supports multiple malware families.
Observed payloads include Lumma and Vidar infostealers for Windows, Cerberus for Android, AMOS (Atomic Stealer) for macOS, and Linux backdoors. Notably, the platform contains a hardcoded exclusion for CIS countries, which may hint at the developer’s origin.
Harvested credentials are typically sold on darknet markets or reused to compromise additional websites and redeploy the ErrTraffic script.
ErrTraffic highlights the evolution of ClickFix attacks from manual social engineering to fully automated malware delivery. By exploiting fake browser glitches, attackers can convincingly manipulate users into executing malicious code themselves, bypassing many traditional security controls.
