The Evolution of ClickFix: Inside ErrTraffic’s GlitchFix Attack Panel

Du'aine Davis · 2026-01-22T11:10:19+00:00

Observed in the wild * Censys researchers analysed ErrTraffic, a traffic‑distribution system used in GlitchFix/ClickFix social‑engineering attacks. They identified multiple live panels (v2 and v3) in the wild across various hosts, including one misconfigured instance that exposed the full source code. The tool targets…

Du'aine Davis

Observed in the wild

Censys researchers analysed ErrTraffic, a traffic‑distribution system used in GlitchFix/ClickFix social‑engineering attacks. They identified multiple live panels (v2 and v3) in the wild across various hosts, including one misconfigured instance that exposed the full source code. The tool targets global users across Windows, macOS, Android and Linux, with campaigns reported since late 2025.
ErrTraffic, sold for near $800 on Russian‑language forums by threat actor “LenAI”, injects malicious JavaScript into compromised websites, triggers visual “glitch” effects, fingerprints victims, geofilters traffic, and delivers OS‑specific payloads. Version differences include unobfuscated JavaScript (v2) versus XOR‑obfuscated payload logic and added ClickFix modes (v3). The system relies on social engineering rather than browser exploits, achieving conversion rates approaching 60%.
Organisations are advised to monitor for anomalous PowerShell or Run‑dialog executions initiated by users following clipboard‑injected commands, behaviour typical of ClickFix/ErrTraffic chains. Defender products should be tuned to detect unusual script executions and fingerprinting patterns from injected JavaScript. Network defenders should block domains hosting ErrTraffic panels and look for the errtraffic_session cookie in HTTP headers as an indicator of compromise.

ErrTraffic: Inside a GlitchFix Attack Panel | Censys

Find more posts tagged with

Threat Landscape

Sign in to participate and unlock exclusive content 🔓

It looks like you're new here! Sign in or register to be able to comment, access member-only content and follow the spaces relevant to you.

Comments

Du'aine Davis

ClickFix Campaign Evolves with Custom DNS Hijacking
Observed in the wild

In February, researchers observed an evolution of the ClickFix social‑engineering campaign targeting enterprise users, primarily on Windows systems. Targets were tricked into initiating actions that led to DNS‑level manipulation, enabling malware delivery without traditional downloads. The activity impacts organisations relying on standard DNS resolution and highlights ongoing, active abuse rather than a historic or isolated campaign.
Threat actors leveraged ClickFix lures to initiate custom DNS hijacking, redirecting legitimate DNS queries to attacker‑controlled infrastructure. Malicious payloads were delivered via manipulated DNS responses, allowing command execution and follow‑on malware installation. This living‑off‑the‑land approach abuses trusted network protocols, blends into normal DNS traffic, and evades signature‑based detection, indicating moderately sophisticated, hands‑on threat actors.
Organisations are advised to use Microsoft Defender for Endpoint to monitor DNS configuration changes, anomalous nslookup or resolver behaviour, and unusual outbound DNS patterns. Defender alerts for network tampering, suspicious script execution, and endpoint behaviour anomalies should be prioritised. Enforcing least privilege, centralised DNS logging, user awareness around ClickFix lures, and conditional access reduces exposure and limits impact.

Microsoft Threat Intelligence on X: "Microsoft Defender researchers observed attackers using yet another evasion approach to the ClickFix technique: Asking targets to run a command that executes a custom DNS lookup and parses the `Name:` response to receive the next-stage payload for execution. https://t.co/NFbv1DJsXn" / X

Du'aine Davis

Windows Terminal Used to Bypass Run‑Dialog Defences in ClickFix Attacks
Observed in the wild

Microsoft reported a widespread ClickFix social‑engineering campaign observed in February 2026, impacting Windows users. Victims were persuaded to manually execute commands in Windows Terminal, resulting in system compromise and downstream malware deployment, with the activity assessed as broad and opportunistic rather than sector‑specific.
The campaign instructs users to open Windows Terminal via Win+X → I, rather than the traditional Run dialog, and paste malicious PowerShell commands delivered through fake CAPTCHA, verification, or troubleshooting prompts. This approach exploits user trust in a legitimate administrative tool and bypasses detections tuned for Run‑dialog abuse, aligning with known ClickFix tradecraft.
Organisations are advised to treat unsolicited instructions to open Windows Terminal as suspicious, prioritise Defender behaviour‑based detections over single‑event execution, and monitor for user‑initiated terminal activity followed by encoded PowerShell execution. Strengthening user awareness around “copy‑paste fixes” is critical to reducing ClickFix success.

Microsoft Threat Intelligence on X: "Microsoft Defender Experts identified a widespread ClickFix social engineering campaign in February 2026 leveraging Windows Terminal as the primary execution mechanism. Rather than the traditional Win + R → paste → execute technique, this campaign instructs targets to use the https://t.co/HJx3B4YBJP" / X

See what's trending

Click on a tag to discover all the published content related to it.