Full Report
TLP: AMBER+STRICT The LevelBlue SpiderLabs team examined the latest version of ErrTraffic, which emerged in early 2026. In a recently observed campaign, the team found that ErrTraffic primarily targets WordPress websites by deploying a PHP backdoor script in the must-use plugin (mu-plugin) that captures administrator credentials and ensures persistence on compromised sites. On the infected website, the backdoor injects malicious inline scripts that leverage both XOR and Base64 obfuscation to evade detection. ErrTraffic utilizes the Traffic Distribution System (TDS) to filter site visitors and redirect them to ClickFix lures.
Analysis Summary
# Tool/Technique: ErrTraffic (v3)
## Overview
ErrTraffic is a specialized malware family and Traffic Distribution System (TDS) that primarily targets WordPress ecosystems. Its purpose is twofold: to gain persistent administrative access to websites and to hijack site traffic. By infiltrating WordPress sites, it acts as a gatekeeper that filters legitimate users and redirects them to "ClickFix" lures—social engineering schemes that trick users into executing malicious code under the guise of fixing browser or document display errors.
## Technical Details
- **Type**: Malware family / Traffic Distribution System (TDS)
- **Platform**: WordPress (PHP-based CMS)
- **Capabilities**: Credential harvesting, persistence, traffic redirection, obfuscation, and TDS filtering.
- **First Seen**: Early 2026 (v3 identified)
## MITRE ATT&CK Mapping
- **TA0003 - Persistence**
- T1505.003 - Server Software Component: Web Shell
- **TA0006 - Credential Access**
- T1556 - Modify Authentication Process (Credential capturing in WordPress)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (XOR and Base64)
- T1564 - Hide Artifacts (mu-plugins)
- **TA0007 - Discovery**
- T1016 - System Network Configuration Discovery (TDS Filtering)
## Functionality
### Core Capabilities
- **PHP Backdoor Deployment**: Installs a malicious script within the `wp-content/mu-plugins/` (must-use) directory. Because "mu-plugins" are loaded automatically by WordPress before normal plugins, they are harder to manage and disable via the standard admin dashboard.
- **Credential Harvesting**: Intercepts and captures administrator credentials during login attempts, allowing the attacker to maintain secondary access methods.
- **Traffic Redirection (TDS)**: Analyzes incoming visitor requests to determine if they meet specific criteria (IP, browser, location) before redirecting them to malicious "ClickFix" landing pages.
### Advanced Features
- **EtherHiding Integration**: Leverages blockchain-based infrastructures (specifically Ethereum/Binance Smart Chain contracts) to host or update malicious scripts, making it extremely difficult to take down the hosting infrastructure.
- **Multi-Layer Obfuscation**: Uses a combination of XOR encryption and Base64 encoding for inline malicious scripts to bypass static analysis and signature-based security scanners.
- **Persistence via mu-plugins**: Exploits the priority loading sequence of WordPress to ensure the backdoor remains active even if traditional plugins are audited or deactivated.
## Indicators of Compromise
- **File Names**:
- Malicious `.php` files located in `/wp-content/mu-plugins/`
- **Network Indicators**:
- `dns-over-https[.]com` (Associated with EtherHiding lookups)
- `errtraffic[.]com` (Defanged)
- `clickfix[.]top` (Defanged - common lure domain)
- **Behavioral Indicators**:
- Unexpected modifications to PHP files.
- Presence of heavily obfuscated inline JavaScript containing `atob()` (Base64) or XOR loops.
- Outbound connections from the web server to blockchain RPC endpoints.
## Associated Threat Actors
- **ClearFake**: Known for using similar "ClickFix" lure strategies.
- **EtherHiding Campaigns**: Activity overlaps with actors using Smart Contracts for malicious script hosting.
## Detection Methods
- **Signature-based detection**: Scanning for common PHP shells and XOR-decryption patterns within the `mu-plugins` directory.
- **Behavioral detection**: Monitoring for WordPress login pages that send data to external, non-standard domains or unauthorized third-party scripts loaded in the admin dashboard.
- **File Integrity Monitoring (FIM)**: Alerting on any new file creation within the `wp-content/mu-plugins/` directory, which is rarely modified in standard production environments.
## Mitigation Strategies
- **Prevention measures**:
- Implement Web Application Firewalls (WAF) to block known TDS redirect patterns.
- Enforce Multi-Factor Authentication (MFA) for all WordPress administrator accounts.
- **Hardening recommendations**:
- Restrict file system permissions for the `wp-content/mu-plugins/` folder to read-only during normal operations.
- Disable the "Plugin Editor" and "Theme Editor" within the WordPress dashboard (`DISALLOW_FILE_EDIT`).
## Related Tools/Techniques
- **ClickFix**: The social engineering lure system used to deliver the final payload to the end-user.
- **EtherHiding**: The technique of using blockchain transaction data to host malicious JavaScript.
- **ClearFake / SocGholish**: Similar frameworks that utilize TDS for targeted malware delivery.