Unveiling ErrTraffic: Inside a Growing ClickFix Malware Distribution Framework

    Wednesday, June 17, 2026 In: Threat Research Print

    Date: 06/17/2026

    Severity: High

    Summary

    ErrTraffic is a Malware-as-a-Service (MaaS) framework used to distribute malware through ClickFix social engineering lures embedded in compromised WordPress websites. The framework incorporates a Traffic Distribution System (TDS) and uses EtherHiding to conceal its command-and-control infrastructure within the blockchain. Analysis revealed multiple operational clusters, malicious WordPress plugins, and campaigns leveraging fake AI-themed websites to deliver malware at scale. 

    Indicators of Compromise (IOC) List 

    Domains/URLs

    travel-js-ns.beer

    ponikas.cyou

    vsactivens.beer

    nextpgh3.com

    clip-stash.beer

    abrikos.xyz

    pohuimne.lol

    microchlen.lat

    js-server.beer

    mnepohui.sbs

    etomoe.cfd

    ns-claude-js.beer

    istile-c-cloud.beer

    ns-server-jscdn.beer

    jogosdecarrobr.monster

    adzeta.monster

    spartanec.lat

    best-claudns-js.beer

    letsgomakemoneyoncaptcha.beer

    chatgpt-web.vip

    anakondabob.club

    finework.top

    gdedengikarlos.cfd

    sane-cdn-js.beer

    web-protection.beer

    testerlau.lat

    framesavecloudjs.beer

    ntsnsdns.beer

    web-safe.beer

    marinaradom.cfd

    sdnssmdf-js.beer

    smackit.lat

    yoshicity.xyz

    bcncdncl-ns.beer

    superpooper.click

    mhaskins.top

    milksos.cfd

    bootstrup-framework-js.beer

    smtnscerver.beer

    webanalytics-cdn.sbs

    defi-xstocks.vip

    biletors.cfd

    webanalytics-cdn.cfd

    etomoidomen.cfd

    webanalytics-cdn.icu

    lsikjsns.beer

    bootstrup-cdn-ns.beer

    babybon.cfd

    fetestjs.beer

    sandman.lat

    clnsdns.beer

    mambet.lol

    dhnsdns.beer

    traffadmin.monster

    marmelad.lat

    chubrik.sbs

    webanalytics-cdn.cyou

    verification-cdn-cloud.beer

    ssns-cdn-ns.beer

    antigravity.study

    webflare.beer

    bobik.cfd

    robodomain.sbs

    krolikrojer.lat

    slndcdnclaud.beer

    cloud-safe.click

    bulletpop.cyou

    sandman.bond

    clacndjsvulnarbi.beer

    comicstar.lat

    https://devltd.top/flomowk2.zip

    Hash

    1f5a7f45c9ad8f06b9bf1ddc2a99c8fa

    0f769f459f9ed3e02c3d76af39dafc4e944f871b

    83264e9216fb747d9e0048c6559d66dfca05cf50a1d415ecf212c879d08741ce

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "gdedengikarlos.cfd" or url like "gdedengikarlos.cfd" or siteurl like "gdedengikarlos.cfd" or domainname like "vsactivens.beer" or url like "vsactivens.beer" or siteurl like "vsactivens.beer" or domainname like "js-server.beer" or url like "js-server.beer" or siteurl like "js-server.beer" or domainname like "sandman.lat" or url like "sandman.lat" or siteurl like "sandman.lat" or domainname like "defi-xstocks.vip" or url like "defi-xstocks.vip" or siteurl like "defi-xstocks.vip" or domainname like "best-claudns-js.beer" or url like "best-claudns-js.beer" or siteurl like "best-claudns-js.beer" or domainname like "yoshicity.xyz" or url like "yoshicity.xyz" or siteurl like "yoshicity.xyz" or domainname like "webanalytics-cdn.icu" or url like "webanalytics-cdn.icu" or siteurl like "webanalytics-cdn.icu" or domainname like "webanalytics-cdn.cyou" or url like "webanalytics-cdn.cyou" or siteurl like "webanalytics-cdn.cyou" or domainname like "slndcdnclaud.beer" or url like "slndcdnclaud.beer" or siteurl like "slndcdnclaud.beer" or domainname like "anakondabob.club" or url like "anakondabob.club" or siteurl like "anakondabob.club" or domainname like "chatgpt-web.vip" or url like "chatgpt-web.vip" or siteurl like "chatgpt-web.vip" or domainname like "marmelad.lat" or url like "marmelad.lat" or siteurl like "marmelad.lat" or domainname like "robodomain.sbs" or url like "robodomain.sbs" or siteurl like "robodomain.sbs" or domainname like "clacndjsvulnarbi.beer" or url like "clacndjsvulnarbi.beer" or siteurl like "clacndjsvulnarbi.beer" or domainname like "sane-cdn-js.beer" or url like "sane-cdn-js.beer" or siteurl like "sane-cdn-js.beer" or domainname like "istile-c-cloud.beer" or url like "istile-c-cloud.beer" or siteurl like "istile-c-cloud.beer" or domainname like "microchlen.lat" or url like "microchlen.lat" or siteurl like "microchlen.lat" or domainname like "clip-stash.beer" or url like "clip-stash.beer" or siteurl like "clip-stash.beer" or domainname like "webflare.beer" or url like "webflare.beer" or siteurl like "webflare.beer" or domainname like "milksos.cfd" or url like "milksos.cfd" or siteurl like "milksos.cfd" or domainname like "biletors.cfd" or url like "biletors.cfd" or siteurl like "biletors.cfd" or domainname like "verification-cdn-cloud.beer" or url like "verification-cdn-cloud.beer" or siteurl like "verification-cdn-cloud.beer" or domainname like "sandman.bond" or url like "sandman.bond" or siteurl like "sandman.bond" or domainname like "sdnssmdf-js.beer" or url like "sdnssmdf-js.beer" or siteurl like "sdnssmdf-js.beer" or domainname like "travel-js-ns.beer" or url like "travel-js-ns.beer" or siteurl like "travel-js-ns.beer" or domainname like "mnepohui.sbs" or url like "mnepohui.sbs" or siteurl like "mnepohui.sbs" or domainname like "web-protection.beer" or url like "web-protection.beer" or siteurl like "web-protection.beer" or domainname like "chubrik.sbs" or url like "chubrik.sbs" or siteurl like "chubrik.sbs" or domainname like "bobik.cfd" or url like "bobik.cfd" or siteurl like "bobik.cfd" or domainname like "abrikos.xyz" or url like "abrikos.xyz" or siteurl like "abrikos.xyz" or domainname like "ns-claude-js.beer" or url like "ns-claude-js.beer" or siteurl like "ns-claude-js.beer"

    Detection Query 2 :

    domainname like "spartanec.lat" or url like "spartanec.lat" or siteurl like "spartanec.lat" or domainname like "clnsdns.beer" or url like "clnsdns.beer" or siteurl like "clnsdns.beer" or domainname like "comicstar.lat" or url like "comicstar.lat" or siteurl like "comicstar.lat" or domainname like "https://devltd.top/flomowk2.zip" or url like "https://devltd.top/flomowk2.zip" or siteurl like "https://devltd.top/flomowk2.zip" or domainname like "ntsnsdns.beer" or url like "ntsnsdns.beer" or siteurl like "ntsnsdns.beer" or domainname like "bootstrup-framework-js.beer" or url like "bootstrup-framework-js.beer" or siteurl like "bootstrup-framework-js.beer" or domainname like "cloud-safe.click" or url like "cloud-safe.click" or siteurl like "cloud-safe.click" or domainname like "bulletpop.cyou" or url like "bulletpop.cyou" or siteurl like "bulletpop.cyou" or domainname like "ponikas.cyou" or url like "ponikas.cyou" or siteurl like "ponikas.cyou" or domainname like "ssns-cdn-ns.beer" or url like "ssns-cdn-ns.beer" or siteurl like "ssns-cdn-ns.beer" or domainname like "finework.top" or url like "finework.top" or siteurl like "finework.top" or domainname like "marinaradom.cfd" or url like "marinaradom.cfd" or siteurl like "marinaradom.cfd" or domainname like "mambet.lol" or url like "mambet.lol" or siteurl like "mambet.lol" or domainname like "fetestjs.beer" or url like "fetestjs.beer" or siteurl like "fetestjs.beer" or domainname like "ns-server-jscdn.beer" or url like "ns-server-jscdn.beer" or siteurl like "ns-server-jscdn.beer" or domainname like "bootstrup-cdn-ns.beer" or url like "bootstrup-cdn-ns.beer" or siteurl like "bootstrup-cdn-ns.beer" or domainname like "framesavecloudjs.beer" or url like "framesavecloudjs.beer" or siteurl like "framesavecloudjs.beer" or domainname like "bcncdncl-ns.beer" or url like "bcncdncl-ns.beer" or siteurl like "bcncdncl-ns.beer" or domainname like "mhaskins.top" or url like "mhaskins.top" or siteurl like "mhaskins.top" or domainname like "etomoidomen.cfd" or url like "etomoidomen.cfd" or siteurl like "etomoidomen.cfd" or domainname like "krolikrojer.lat" or url like "krolikrojer.lat" or siteurl like "krolikrojer.lat" or domainname like "etomoe.cfd" or url like "etomoe.cfd" or siteurl like "etomoe.cfd" or domainname like "letsgomakemoneyoncaptcha.beer" or url like "letsgomakemoneyoncaptcha.beer" or siteurl like "letsgomakemoneyoncaptcha.beer" or domainname like "smtnscerver.beer" or url like "smtnscerver.beer" or siteurl like "smtnscerver.beer" or domainname like "dhnsdns.beer" or url like "dhnsdns.beer" or siteurl like "dhnsdns.beer" or domainname like "antigravity.study" or url like "antigravity.study" or siteurl like "antigravity.study" or domainname like "nextpgh3.com" or siteurl like "nextpgh3.com" or url like "nextpgh3.com" or domainname like "pohuimne.lol" or siteurl like "pohuimne.lol" or url like "pohuimne.lol" or domainname like "jogosdecarrobr.monster" or siteurl like "jogosdecarrobr.monster" or url like "jogosdecarrobr.monster" or domainname like "adzeta.monster" or siteurl like "adzeta.monster" or url like "adzeta.monster" or domainname like "testerlau.lat" or siteurl like "testerlau.lat” or url like "testerlau.lat” or domainname like "web-safe.beer” or siteurl like "web-safe.beer” or url like **"**web-safe.beer” or domainname like "smackit.lat” or siteurl like "smackit.lat” or url like "smackit.lat” or domainname like "superpooper.click” or siteurl like "superpooper.click” or url like "superpooper.click” or domainname like "webanalytics-cdn.sbs” or siteurl like "webanalytics-cdn.sbs” or url like "webanalytics-cdn.sbs” or domainname like "webanalytics-cdn.cfd” or siteurl like "webanalytics-cdn.cfd” or url like "webanalytics-cdn.cfd” or domainname like "lsikjsns.beer” or siteurl like "lsikjsns.beer” or url like "lsikjsns.beer” or domainname like "babybon.cfd” or siteurl like "babybon.cfd” or url like "babybon.cfd" or domainname like "traffadmin.monster" or siteurl like "traffadmin.monster" or url like "traffadmin.monster"

    Detection Query 3 :

    md5hash IN ("1f5a7f45c9ad8f06b9bf1ddc2a99c8fa")

    Detection Query 4 :

    sha1hash IN ("0f769f459f9ed3e02c3d76af39dafc4e944f871b")

    Detection Query 5 :

    sha256hash IN ("83264e9216fb747d9e0048c6559d66dfca05cf50a1d415ecf212c879d08741ce")

    Reference:    

    https://blog.sekoia.io/unveiling-errtraffic-inside-a-growing-clickfix-malware-distribution-framework/    


    Tags

    MalwareMaaSClickFixSocial EngineeringEtherHidingBlockchainAIWordPress

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.