ErrTraffic MaaS Uses Fake CAPTCHAs Cloudflare Turnstile

A rapidly expanding cybercrime operation, dubbed ErrTraffic, has surfaced as a new Malware-as-a-Service (MaaS) offering. This sophisticated tool employs highly deceptive fake reCAPTCHA and Cloudflare Turnstile verification screens to compromise internet users. Its primary objective is to lure victims into executing malicious PowerShell commands on their systems. A The framework tricks victims into running malicious PowerShell commands on their own machines, all while believing they are simply completing a routine security check.

It first appeared in late 2025 and has since grown into a full Malware-as-a-Service operation that allows cybercriminals to rent the tool and deploy their own attacks against a wide range of targets.

ErrTraffic works by injecting a harmful JavaScript snippet into legitimate but compromised WordPress websites.

When an unsuspecting visitor lands on one of these pages, they are shown a fake verification screen that closely mimics trusted services like Google reCAPTCHA or Cloudflare Turnstile.

The victim is prompted to press a keyboard shortcut, which secretly executes a PowerShell command that has already been quietly loaded into their clipboard by the malicious background script.

Analysts at Sekoia said in a report shared with Cyber Security News (CSN) that ErrTraffic is built on the ClickFix social engineering tactic and uses a technique called EtherHiding to conceal its command-and-control infrastructure inside Polygon blockchain smart contracts.

This design makes it significantly harder for security tools to detect and block malicious traffic, since the attacker infrastructure can be rotated without redeploying code.

The tool is sold by a threat actor operating under the handle LenAI on the cybercrime forum Exploit.IN and through Telegram.

Pricing climbed throughout 2026, with monthly subscriptions rising from $300 to $380 and source code prices jumping from $1,500 in January to $4,500 with lifetime updates included.

The steep pricing reflects both the framework’s effectiveness and its growing reputation within underground criminal communities.

Security researchers identified two distinct ErrTraffic clusters, named “Analytics” and “Beer,” each running separate infrastructure and delivering different malware families including Vidar, Stealc, Remus, Salat, SmokeLoader, and various remote access tools.

Some WordPress sites were found infected by both clusters simultaneously, pointing to competition and operational overlap between the multiple threat actors leveraging this framework.

ErrTraffic MaaS Uses Fake reCAPTCHA and Cloudflare Turnstile Lures

The infection chain begins the moment a visitor loads a compromised WordPress page. A hidden JavaScript payload, encoded using Base64 and XOR techniques, queries the Polygon blockchain to retrieve the active C2 server address.

This rotating infrastructure model allows attackers to swap servers daily without modifying the thousands of infected websites already hosting their injected code.

Once the C2 address is resolved, the script loads the ClickFix lure through API endpoints such as /cf.js or /api/css.js, depending on the active cluster.

The lure renders a convincing CAPTCHA or Cloudflare Turnstile screen that tells the visitor to verify themselves using a keyboard shortcut.

Running that command triggers a PowerShell script that downloads and executes the final payload, ranging from infostealers to loaders and remote access tools.

Attackers also impersonate legitimate AI platforms to extend ErrTraffic’s reach. Malicious websites posing as Google Antigravity and ChatGPT were used to deliver the same ClickFix lure, targeting users searching for AI software.

These campaigns are believed to be spread via malvertising, allowing them to reach victims entirely outside the compromised WordPress ecosystem.

Backdoor Deployment and Persistent Access

After gaining entry to a WordPress site through stolen administrator credentials, attackers deploy a PHP backdoor named session-manager.php inside the mu-plugins directory, where WordPress automatically loads it without any manual activation.

The implant harvests login credentials by intercepting authentication requests, skims WooCommerce order data in a server-side Magecart-style attack, and provides a webshell for remote code execution.

To avoid detection, the backdoor monitors incoming User-Agent strings for signatures belonging to tools like Wordfence and Nikto, then pauses all malicious behavior for thirty minutes when those tools are identified.

Defenders should enable PowerShell ScriptBlock logging to catch XOR-decoded commands tied to ErrTraffic, and monitor blockchain RPC connections followed immediately by PowerShell execution as high-confidence behavioral indicators.

Regularly auditing mu-plugins directories and rotating WordPress credentials remain strong baseline protective steps.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.