ErrTraffic is a Traffic Distribution System (TDS) designed to power ClickFix social engineering attacks. Unlike traditional fake update prompts, ErrTraffic deliberately breaks website visuals creating garbled text, distorted CSS, and cursor jitter to convince victims their device is actually broken.
Visual chaos technique, called “GlitchFix,” has become highly effective at tricking users into “fixing” their systems by running malware.
When users land on a compromised website containing ErrTraffic code, the attack happens instantly.
The malicious script checks the victim’s operating system, browser type, and location. If checks pass, the page immediately distorts readable text becomes illegible symbols, CSS transformations make everything look broken, and moving your mouse causes strange jitter effects.
Within seconds, a fake update modal appears claiming to be from Chrome, Firefox, or Windows itself.
The Business Model
Security researchers discovered threat actor “LenAI” selling ErrTraffic v2 on Russian forums for approximately $800.
What shocked researchers was the conversion rate: nearly 60% meaning 6 out of 10 people who saw the fake glitch actually clicked the malicious button.
This is unprecedented success for social engineering tools. The subscription model includes an expiration field, meaning operators must pay to keep their campaigns running.
Browser Update Mode: Fake Chrome, Firefox, or Edge updates with localized messages.
Font Mode: Claims a system font is missing and needs installation.
The domain naming patterns reveal operational security practices: operators favor cheap TLDs (.cfd, .art) and free subdomain services (kozow[.]com) that require minimal identity verification.
ClickFix Mode (v3 only): Copies obfuscated PowerShell commands to the clipboard, instructing users to press Win+X, then I, then Ctrl+V, then Enter running hidden malware installers without opening a window.
What Gets Delivered
ErrTraffic doesn’t spread traditional malware it delivers digitally-signed Remote Monitoring & Management (RMM) tools: FleetDeck for Windows, ITarian MDM for Android, ConnectWise Control for macOS, and ITarian ITSM for Linux.
These legitimate tools are allowlisted by security software, making them nearly impossible to block without breaking legitimate IT operations.
The infrastructure is spread across Netherlands, Sweden, and Russia. The tool uses token-based payload delivery, bot detection for crawlers, and geofencing to block specific countries notably all CIS nations, suggesting Russian-speaking threat actors avoiding prosecution.
ErrTraffic represents industrialized social engineering. With 60% conversion rates and professional infrastructure, this commodified tool significantly accelerates the compromise pipeline.
Organizations must prioritize user awareness training and restrict RMM tool execution to prevent infection.
IOCs
| Indicator | Type | Notes |
|---|---|---|
errtraffic_session= |
Cookie | Session identifier |
/api/css.js.php |
URL path | v2 payload |
/api/css.js |
URL path | v3 payload (obfuscated) |
/api/index.php?action= |
URL pattern | v3 API calls |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.