A newly identified cybercrime tool named ErrTraffic is circulating on underground forums, sharply reducing the effort needed for attackers to trick users into running malicious software on their own devices.
ErrTraffic automates a growing attack method known as ClickFix. This technique relies on fake error messages that pressure users into manually executing harmful commands. Instead of secretly downloading malware, ClickFix attacks misuse user trust by displaying realistic website errors that appear to need urgent action.
In these attacks, websites show convincing glitches such as broken text, distorted fonts, or corrupted layouts. The page is made to look faulty. Users are then asked to “fix” the problem by updating their browser or installing a missing system component. This action leads them to run commands controlled by attackers.
ErrTraffic stands out due to its professional design, automation, and low cost. It allows even low-skilled cybercriminals to launch advanced attacks across Windows, macOS, Linux, and Android systems.
The tool was first spotted in early December 2025 on Russian-language cybercrime forums. It was advertised by a threat actor using the alias LenAI. For around $800, buyers receive the full ErrTraffic package, including a central control panel and scripts that can deploy realistic fake error messages on hacked websites.
According to the Hudson Rock Threat Intelligence Team, ErrTraffic operates through a simple JavaScript injection. Once attackers gain access to a website, they only need to add a single line of code that links the site to their command-and-control panel.
The script automatically identifies a visitor’s operating system, browser, and language. It then displays a customised fake error, often posing as a “Chrome Update” or a missing font alert.
When users click the fix option, a PowerShell command is copied to their clipboard with instructions to paste and run it manually. This helps the attack bypass many security tools, as the action appears user-initiated.
Data from active ErrTraffic campaigns shows conversion rates close to 60%. This means a large share of users exposed to these fake errors end up running malicious code.
Attackers usually install infostealers like Lumma or Vidar on Windows systems, while Android users are targeted with banking trojans. The tool also blocks infections in Russia and nearby regions to avoid local law enforcement attention.
Once infected, stolen login details are used to take over more websites, creating a self-propagating cycle of cyber attacks.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
