A new and sophisticated cybercrime tool named ErrTraffic is making waves in the dark web, empowering attackers to automate “ClickFix” attacks. This tool significantly lowers the barrier to entry for malicious actors, allowing them to trick unsuspecting users into executing harmful software on a wide range of devices, including Windows, Android, macOS, and Linux. The emergence of ErrTraffic underscores a growing trend of advanced, user-friendly attack vectors becoming available to the wider criminal underground.
The ErrTraffic tool was first identified in December 2025 on Russian-language cybercrime forums, advertised by a threat actor known as LenAl. For a price point of just $800, criminals gain access to a comprehensive package, including a control panel and a script system. This system is designed to inject convincing fake visual errors and glitches onto compromised websites, creating a sense of urgency for users.
How ErrTraffic Facilitates ClickFix Attacks
ErrTraffic automates what security experts term ClickFix attacks. Unlike traditional malware delivery methods that rely on direct file downloads, ClickFix attacks leverage a psychological element. They present users with fabricated issues on a website, such as broken text or scrambled fonts, making the site appear corrupted. A subsequent popup then falsely offers a solution, often framed as a necessary browser update or a missing system font installation, compelling the user to engage and potentially execute malicious commands.
The covert mechanism behind ErrTraffic involves a straightforward JavaScript injection. Attackers who gain access to a website’s code can insert a single line of JavaScript. This script then communicates with the attacker’s control panel. Upon a visitor accessing the compromised site, the script intelligently detects the user’s operating system and browser, then dynamically displays a tailored, fake error message localized to the user’s language.
The critical infection point occurs when a user clicks on the deceptive “fix” button. This action doesn’t directly download malware. Instead, it copies a PowerShell command to the user’s clipboard and prompts them to manually paste it into their system’s command-line interface. This technique is particularly insidious because it circumvents many conventional security measures. Web browsers interpret this as a legitimate user action of copying text, while security software often views the subsequent opening of PowerShell as normal user behavior, thus failing to flag the malicious activity.
The Impact and Reach of ErrTraffic
Analysis of active ErrTraffic campaigns has revealed alarming success rates. Threat intelligence reports, such as those from the Hudson Rock Threat Intelligence Team who identified the tool, indicate conversion rates astonishingly close to 60 percent. This means that a significant majority of individuals who encounter the fake error message fall victim to the ruse and consequently install malware. The payloads delivered by ErrTraffic are configurable by the attacker and commonly include infostealers like Lumma or Vidar for Windows systems, and banking trojans for Android devices.
The sophistication of the ErrTraffic control panel also includes features like geographic filtering. It contains pre-programmed blocks designed to avoid detection by law enforcement in Russia and its neighboring countries. Once a system is compromised, attackers can steal sensitive login credentials, which can then be used to further infiltrate other websites and expand the attack network, creating a self-perpetuating cycle of compromise and malware distribution. The tool’s professional design and low cost make it an attractive option for a wider range of cybercriminals, potentially leading to a surge in ClickFix attack campaigns.