Err-Hiding and Seek: How ErrTraffic v3 Leverages EtherHiding in ClickFix Campaign

ErrTraffic V3 is a commercially offered Traffic Distribution System used in ClickFix campaigns that compromises WordPress sites by installing a mu‑plugin PHP backdoor to capture administrator credentials and persist; it injects obfuscated JavaScript that retrieves attacker URLs and payloads from blockchain smart contracts (EtherHiding), serves multilingual ClickFix lures (Cloudflare, reCAPTCHA, fake BSOD, etc.), and delivers OS‑specific malware. The report includes technical analysis of the multi‑stage chain, backend API and encryption modes, infrastructure and ASN clustering, IOCs, and notes critical OpSec failures (hardcoded keys) that enable defenders to track and decrypt the campaign.