ClickFix operator's blockchain C2 off the public ledger: 4 months, ~127 hosts

sdkhere1 pts0 comments

Hiding in Plain Ledger: Four Months of a ClickFix Operator's Blockchain C2 | Melted in HexHiding in Plain Ledger: Four Months of a ClickFix Operator's Blockchain C2<br>July 16, 2026 · 12 min · 2369 words · Melted in Hex<br>Table of ContentsBackground<br>Summary<br>The compromised sites<br>The on-chain C2<br>The ClickFix lure<br>The payload<br>Who&rsquo;s still infected<br>Detection and hunting<br>Indicators (IOCs)<br>What to do

To hide its command-and-control server, this operation writes the address onto a public<br>blockchain. That makes the C2 impossible to seize or sinkhole — but it also means every time<br>the operator moves servers, they leave a permanent, timestamped entry in a ledger anyone can<br>read. I pulled that ledger. It runs to four months and roughly 127 delivery hosts from a<br>single smart contract , and it was still updating the day I looked.<br>The framework itself is ErrTraffic , a ClickFix Malware-as-a-Service already documented<br>by HudsonRock<br>LevelBlue / SpiderLabs<br>and Sekoia<br>the contract I trace is the one Sekoia calls the &ldquo;Analytics&rdquo; cluster . Building on that<br>work, this is an outside-in reconstruction of how legible such an operation is from public<br>data alone: the full on-chain rotation history, a July map of who is still infected, and the<br>payload the cluster is dropping today — all without touching attacker infrastructure.

Figure 1: The chain. A hacked WordPress site (1) carries the injected loader in one of two<br>forms (plaintext or base64+XOR) and reads a Polygon contract to find the current delivery<br>host (2); that host serves a fake Cloudflare page that copies PowerShell to the clipboard<br>(3); the user runs it (4); a Go stealer lands, pulls its config from the C2 (5), and<br>uploads the stolen data (6). The same C2 channel can also push a next-stage payload (7) — a<br>loader capability present but off in this run. The only fixed point is the contract.<br>Background#<br>ErrTraffic is a rented ClickFix kit (advertised by the actor &ldquo;LenAI&rdquo; on Exploit.IN since<br>December 2025) injected into compromised WordPress sites; it resolves its C2 from a Polygon<br>smart contract via EtherHiding rather than a hard-coded domain. The contract here,<br>0x08207B087F61d7e95E441E15fd6d40BEfd6eD308, is Sekoia&rsquo;s &ldquo;Analytics&rdquo; cluster : one stable<br>contract, C2 rotated roughly daily, historically dropping Vidar (April–May 2026), backed<br>by the session-manager.php WordPress MU-plugin backdoor. For the framework internals, the<br>MaaS economics and the backdoor, read the HudsonRock, LevelBlue and Sekoia write-ups linked<br>above. Everything below is my own hands-on tracking of that contract, current to July 2026.<br>Summary#<br>Framework ErrTraffic (ClickFix MaaS) — Sekoia&rsquo;s &ldquo;Analytics&rdquo; cluster Resolver Polygon contract 0x0820…D308, selector 0x38bcdc1c (getURL()), raced across public RPCs (EtherHiding)On-chain history 147 update transactions → ~127 distinct delivery hosts, 11 Mar → 16 Jul 2026, still live Lure Fake Cloudflare &ldquo;Verify you are human&rdquo; page → clipboard PowerShell (ClickFix)Loader powershell -w h … Invoke-WebRequest … SEE_MASK_NOZONECHECKS=1Payload (July) 3 MB Go 1.25.4 infostealer, symbol-obfuscated, fake self-signed cert (CN spoofs etsy.com)Config Not embedded — 20-browser + 48-rule grabber config delivered live by the C2C2 / exfil telegram[.]me/r7t3at dead-drop → data uploaded over TLS to kwt[.]ambiltogel[.]net; zewaplus[.]club serves runtime modules (loader-capable)My additions full on-chain rotation timeline · July victim pivot (37 sites not previously listed) · live-injection confirmation · the current Go payloadThe compromised sites#<br>The traffic comes from legitimate WordPress sites, injected with a small script that runs<br>on every page , high in the document — the signature of a server-side compromise (the<br>session-manager.php MU-plugin backdoor documented by Monarx/LevelBlue/Sekoia), not a<br>single defaced page. Among the sites I saw serving it is a Romanian municipal-government<br>subdomain , eficienta-energetica-leonida.primariapetrosani.ro.

Figure 2: The lure served live on a government subdomain (primariapetrosani.ro). The<br>WordPress chrome behind it confirms the CMS; each visit mints a fresh fake &ldquo;Cloudflare ID&rdquo;<br>to look convincing.<br>I saw the injected loader in two variants , differing only in how they hide the same<br>contract, selector, and RPC list:<br>Variant A — plaintext. Contract, selector, and RPC endpoints as readable string<br>literals; trivial to spot on view-source.<br>Variant B — base64 + XOR. The same values packed into an atob() blob, XOR-decoded<br>at runtime before the eth_call. Nothing sensitive is visible in page source until it<br>runs. (This is the obfuscation LevelBlue documents for v3.)<br>Because both share the contract, selector, and RPC list, searching victim pages for the<br>domain finds nothing, but searching for that shared fingerprint finds them all.

Figure 3: The two observed variants. Left: contract, selector and RPC list in plaintext.<br>Right: the same values hidden in a...

contract clickfix sites sekoia ldquo rdquo

Related Articles