A sophisticated new social engineering technique, dubbed GlitchFix, is leveraging a specialized traffic distribution system known as ErrTraffic to lure unsuspecting users into downloading malware. This deceptive campaign weaponizes visually distorted web pages, creating a false sense of urgency that prompts users to install malicious remote monitoring and management (RMM) tools. ErrTraffic, estimated to cost around $800, provides cybercriminals with a comprehensive platform for orchestrating these elaborate campaigns across multiple operating systems and languages, enabling global reach.
Unlike simpler phishing attempts, ErrTraffic goes to extreme lengths to create a convincing illusion of a system error. It achieves this by deliberately breaking web page layouts, introducing chaotic visual effects like garbage characters and CSS distortions, and even simulating mouse jitter. These disorienting visual cues are carefully managed to ensure that a fake update prompt remains perfectly readable, guiding the victim towards the malicious download. Censys analysts recently detailed the threat infrastructure, identifying five physical servers running ErrTraffic panels hosted across three autonomous systems and linked to eleven unique domains. Their investigation also uncovered two distinct versions of the software operating concurrently: version 2, featuring unobfuscated JavaScript and Russian-only administration interfaces, and version 3, which employs XOR-based payload obfuscation and an advanced ClickFix mode.
How ErrTraffic Fuels GlitchFix Attacks
The ErrTraffic platform significantly enhances the traditional ClickFix approach by introducing advanced manipulation techniques. By making web pages appear broken and unreliable, attackers exploit users’ natural inclination to “fix” perceived issues, often by following instructions to update software. This psychological manipulation is central to the GlitchFix strategy.
Geographic filtering is a key component of the ErrTraffic attack workflow. The system uses the ipwho.is API for geolocation checks, actively blocking access from countries within the Commonwealth of Independent States (CIS), including Russia, Ukraine, and Kazakhstan. This exclusion is considered a strong indicator of attribution, suggesting Russian-speaking threat actors are behind the operation. For victims who bypass these checks and bot detection, the web page enters a “chaos mode.”
Infection Mechanism and Attack Workflow
The infection chain begins when a victim visits a compromised website embedded with malicious script tags. This script loads from the ErrTraffic panel and immediately collects crucial information about the user’s browser, operating system, and language settings. This data is used to tailor the subsequent stages of the attack.
Once the victim’s system is fingerprinted and passes geolocation filters, the page undergoes visual distortion. Text transforms into unreadable Unicode characters, and CSS transformations are applied to skew and rotate page layouts, creating a chaotic visual experience. The system employs MutationObserver APIs to continuously monitor dynamic content, ensuring that any newly loaded elements are subjected to the same corruption treatment. After a brief, configurable delay, typically around one second, a seemingly legitimate modal window appears, prompting the user to download a browser update, install new fonts, or, in the case of version 3, execute PowerShell commands.
When a victim clicks the purported update button, the script requests a one-time download token from the ErrTraffic panel server. This token-based delivery system is designed to prevent security researchers from directly accessing the malicious payloads without completing the full attack workflow. Upon successful validation, the system serves operating system-specific RMM installers through hidden iframes, thereby establishing persistent remote access to the compromised device. Version 3 includes an even more insidious ClickFix mode that bypasses traditional download protections by copying obfuscated PowerShell commands to the user’s clipboard, instructing them to manually execute these commands in their terminal.
The platform also incorporates robust evasion capabilities, employing bot detection patterns specifically designed to thwart security scanners, headless browsers, and other automated analysis tools. Detection signatures for ErrTraffic often rely on identifying specific `errtraffic_session` cookies and particular API paths, such as `/api/css.js.php` for version 2 and `/api/css.js` for version 3. The underlying infrastructure frequently utilizes inexpensive top-level domains and free subdomain services, with some panels even impersonating legitimate government agencies, such as `update211.security-ssa-gov.com`, to enhance credibility.
Security professionals are advised to focus on network monitoring for the presence of `errtraffic_session` cookies, educating users about the prevalence of fake update prompts, and diligently tracking any unusual installations of RMM tools. The malware-as-a-service model employed by ErrTraffic includes subscription features with rental expiration fields, indicating ongoing development and dedicated operator support extending beyond the initial purchase price of $800, suggesting a persistent threat landscape.