ErrTraffic-LenAI ecosystem shift changes threat-actor operations
Threat Actor Meta
Summary
Hide ▲
Show ▼
ErrTraffic has emerged as a self-hosted TDS that commoditizes ClickFix lure delivery, making social-engineering attacks easier to scale against compromised websites. The platform was first promoted on Russian-speaking hacking forums by LenAI and is sold for $800. It can tailor payloads by target architecture and country, while using fake browser glitches to push victims into running malicious commands. The service lowers the effort needed to turn victim traffic into payload execution and downstream credential theft.
Related Happenings
Venom Stealer MaaS continuous credential theft and exfiltration
Malware Activity
First: 01.04.2026 16:30
Last: 01.04.2026 16:30
Sources 1
About this happening:
The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Venom Stealer MaaS continuous credential theft and exfiltration
Malware ActivityAbout this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...
Jinkusu's Starkiller phishing-as-a-service ecosystem commoditizes account takeover
Threat Actor Meta
First: 20.02.2026 22:00
Last: 20.02.2026 22:00
Sources 1
About this happening:
A new phishing-as-a-service operation tied to **Jinkusu** is proxying real login pages through attacker infrastructure, making **MFA bypass** and account takeover easier for low-s...
Jinkusu's Starkiller phishing-as-a-service ecosystem commoditizes account takeover
Threat Actor MetaAbout this happening: A new phishing-as-a-service operation tied to **Jinkusu** is proxying real login pages through attacker infrastructure, making **MFA bypass** and account takeover easier for low-s...
CRESCENTHARVEST Windows RAT and info-stealer activity
Malware Activity
First: 19.02.2026 10:13
Last: 19.02.2026 10:13
Sources 1
About this happening:
The **CRESCENTHARVEST** malware activity centers on **version.dll**, a **Windows RAT and information stealer** that can execute commands, log keystrokes, and exfiltrate data. It m...
CRESCENTHARVEST Windows RAT and info-stealer activity
Malware ActivityAbout this happening: The **CRESCENTHARVEST** malware activity centers on **version.dll**, a **Windows RAT and information stealer** that can execute commands, log keystrokes, and exfiltrate data. It m...
UNC1069 GhostCall cryptocurrency social-engineering campaign
Campaign
First: 11.02.2026 08:50
Last: 11.02.2026 08:50
Sources 1
About this happening:
**UNC1069** is **actively targeting the cryptocurrency sector** with a **social-engineering campaign** designed to steal credentials and data for **financial theft**. The operatio...
UNC1069 GhostCall cryptocurrency social-engineering campaign
CampaignAbout this happening: **UNC1069** is **actively targeting the cryptocurrency sector** with a **social-engineering campaign** designed to steal credentials and data for **financial theft**. The operatio...
Stanley MaaS markets malicious Chrome-extension phishing service
Threat Actor Meta
First: 27.01.2026 01:46
Last: 27.01.2026 01:46
Sources 1
About this happening:
**Stanley** is a **malware-as-a-service (MaaS)** platform for **malicious Chrome extensions** that helps operators deliver **phishing pages** through the browser while keeping the...
Stanley MaaS markets malicious Chrome-extension phishing service
Threat Actor MetaAbout this happening: **Stanley** is a **malware-as-a-service (MaaS)** platform for **malicious Chrome extensions** that helps operators deliver **phishing pages** through the browser while keeping the...
Timeline
-
30.12.2025 23:08 2 articles · 4mo ago
ErrTraffic automates ClickFix attacks on compromised websites
Initial DisclosureHudson Rock researchers describe ErrTraffic as a self-hosted traffic distribution system sold for $800 that can be added to a compromised website via an HTML line, fingerprint victims by geolocation and OS, and display fake Chrome updates, font replacement errors, or other fake glitches to push targets toward malicious instructions or payload downloads. The platform was first promoted on Russian-speaking hacking forums by LenAI earlier this month, can deliver Lumma, Vidar, Cerberus, AMOS (Atomic Stealer), or Linux backdoors, and hardcodes an exclusion for CIS (Commonwealth of Independent States) countries.
Show sources
- New ErrTraffic service enables ClickFix attacks via fake browser glitches — www.bleepingcomputer.com — 30.12.2025 23:08
- New ErrTraffic service enables ClickFix attacks via fake browser glitches — www.bleepingcomputer.com — 30.12.2025 23:08