Cybercrime activity is increasingly shaped by automation and repeatable services. Researchers at Hudson Rock have identified ErrTraffic v2, a platform designed to operationalize ClickFix attacks at scale by packaging social-engineering techniques into an easy-to-use service.
Offered for approximately $800 and promoted on prominent Russian-language forums, the platform shows how complex attack methods are being simplified and sold to a broader criminal audience.
Instead of relying on malicious downloads, the technique abuses user interaction. Victims are shown convincing system-style warnings that prompt them to open PowerShell or the Windows Run dialog and paste a supplied command. Because the user initiates each step, the payload often executes with standard user permissions and avoids traditional endpoint defenses.
What makes this approach effective is that no single action appears suspicious on its own. Browser activity, operating system tools, and user behavior all look normal when observed separately.
Scaled ClickFix Campaigns
ErrTraffic turns this method into a centralized operation. The platform includes a management interface that tracks live campaign performance, with reported success rates nearing 60%. These results are driven by visual manipulation techniques that introduce corrupted text and graphical distortions on compromised websites, creating the illusion of software or system failure.
In early December 2025, Hudson Rock analysts observed a new advertisement posted by an actor known as “LenAI”, promoting the latest release, ErrTraffic v2.Panel, to other operators.
By deliberately breaking the look of a trusted website, attackers create urgency and confusion, pushing users toward a fake “update” or “download” action as the only apparent fix.
Behind the scenes, a small code injection loads malicious JavaScript and uses server-side logic to profile the victim’s system, quietly deciding which payload to deliver. Normal visitors see nothing unusual, while selected targets receive customized malware based on their operating system.
ErrTraffic functions as a traffic distribution engine, sending infostealers to Windows users, banking trojans to Android devices, and stealer malware to macOS systems. Its real impact goes further, as stolen credentials often include website admin access, allowing attackers to compromise even more sites and repeat the cycle.
Stolen logins are reused to place ErrTraffic code on more websites. These sites then spread the same trick to new visitors, keeping the cycle going.
ErrTraffic works by checking the visitor’s operating system and sending a matching malicious file chosen by the attacker.
Over time, the stolen access is sold to other criminals, including ransomware groups.
Because the method works so well, attacks that once took weeks can now happen in just days. The low cost and simple setup also allow less experienced attackers to run large campaigns.
For defenders, this shows that traditional security controls are no longer enough. Attacks now rely on user actions, not just technical flaws.
Detecting stolen credentials early and monitoring unusual user behavior is becoming critical. The real weakness being exploited is human trust.
Follow Us on: Linkedin, Instagram, Facebook to get the latest security news!
Leave A Comment