The LevelBlue SpiderLabs team examined the latest version of ErrTraffic, which emerged in early 2026. In a recently observed campaign, the team found that ErrTraffic primarily targets WordPress websites by deploying a PHP backdoor script in the must-use plugin (mu-plugin) that captures administrator credentials and ensures persistence on compromised sites. On the infected website, the backdoor injects malicious inline scripts that leverage both XOR and Base64 obfuscation to evade detection. ErrTraffic utilizes the Traffic Distribution System (TDS) to filter site visitors and redirect them to ClickFix lures.