VTA-004549 – ERRTraffic Scales ClickFix Attacks Through Deceptive Web Errors

New service dubbed ERRTraffic is accelerating and industrializing the distribution of the already prolific ClickFix malware by leveraging deceptive browser behavior. Threat actors using ERRTraffic trigger fake browser error messages mimicking legitimate HTTP errors such as ERR_CONNECTION_REFUSED or ERR_NETWORK_CHANGED to coax users into downloading malicious installers. This social engineering twist makes the attack feel like a benign troubleshooting step, significantly increasing the likelihood of user interaction and infection.
 

ClickFix itself has a long history of being marketed in underground forums as a “fix” for common browser glitches, only to install stealthy Windows loader and remote access tools under the guise of error correction software. What differentiates ERRTraffic from earlier ClickFix campaigns is its service-oriented delivery model, bad actors can purchase access to prebuilt landing pages, hosted fake error prompts and automated redirection infrastructure that delivers ClickFix binaries when users engage with the error dialog. This commoditization lowers the bar for entry, allowing less sophisticated operators to run highly effective campaigns without building their own infrastructure.

Once a victim is persuaded to download the fake fix, the ClickFix payload executes PowerShell and CMD scripts to install additional malware components. These typically include credential stealers, web injects, proxy configuration changes and remote execution backdoors all designed to harvest sensitive information and establish persistence. The ERRTraffic model also enhances evasion by simulating benign browser behavior and error conditions, traffic looks more legitimate to network defenders and less like classic malware distribution patterns, complicating detection efforts.

Severity:
Medium

Attack Surface:
Endpoint, Web Browser

Tactics:
Command and Control, Credential Access, Defense Evasion, Execution, Initial Access

Techniques:
T1204.002 – User Execution: Malicious File
T1059.001 – Command and Scripting Interpreter: PowerShell
T1036 – Masquerading (fake error pages & installers)
T1071.001 – Application Layer Protocol: Web Protocols
T1555 – Credentials from Password Stores (browser theft)

Indicator of Compromise:
1. https://otx.alienvault.com/pulse/6954802649970d4b3346a73c

References:
1. https://www.infostealers.com/article/the-industrialization-of-clickfix-inside-errtraffic/

SuperPRO’s Threat Countermeasures Procedures:
1. Block execution of unsigned installers launched from user download directories (e.g., %Downloads%, %Temp%).
2. Restrict PowerShell execution for non-admin users using PowerShell Constrained Language Mode or AppLocker.
3. Monitor for PowerShell or cmd.exe spawned by browsers (chrome.exe, msedge.exe, firefox.exe).
4. Enforce SmartScreen + ASR rule “Block executable content from email and web clients” on Windows 10/11.
5. Deploy browser security policies to prevent automatic file downloads from untrusted domains.
6. Monitor DNS and proxy logs for access to fake error-themed landing pages and newly registered domains.

Contributed by: Thivya