The menace actors behind the VexTrio Viper Site visitors Distribution Service (TDS) have been linked to different TDS providers like Assist TDS and Disposable TDS, indicating that the delicate cybercriminal operation is a sprawling enterprise of its personal that is designed to distribute malicious content material.
“VexTrio is a bunch of malicious adtech corporations that distribute scams and dangerous software program by way of totally different promoting codecs, together with smartlinks and push notifications,” Infoblox mentioned in a deep-dive report shared with The Hacker Information.
Among the malicious adtech corporations beneath VexTrio Viper embrace Los Pollos, Taco Loco, and Adtrafico. These corporations function what’s referred to as a industrial affiliate community that connects malware actors whose web sites unsuspecting customers land on and so-called “promoting associates” who supply varied types of illicit schemes like present card fraud, malicious apps, phishing websites, and scams.
Put in a different way, these malicious visitors distribution programs are designed to redirect victims to their locations by way of a SmartLink or direct supply. Los Pollos, per the DNS menace intelligence agency, enlists malware distributors (aka publishing associates) with guarantees of high-paying presents, whereas Taco Loco focuses on push monetization and recruits promoting associates.
One other notable element of those assaults is the compromise of WordPress web sites to inject malicious code that is answerable for initiating the redirection chain, finally main guests to VexTrio rip-off infrastructure. Examples of such injections embrace Balada, DollyWay, Sign1, and DNS TXT report campaigns.
“These scripts redirect website guests to varied rip-off pages by way of visitors dealer networks related to VexTrio, one of many largest recognized cybercriminal affiliate networks that leverages refined DNS strategies, visitors distribution programs, and area era algorithms to ship malware and scams throughout world networks,” GoDaddy famous in a report printed in March 2025.
VexTrio’s operations suffered a blow round mid-November 2024 after Qurium revealed that the Swiss-Czech adtech firm Los Pollos was a part of VexTrio, inflicting Los Pollos to stop their push hyperlink monetization. This, in flip, triggered an exodus, inflicting menace actors that relied closely on the Los Pollos community to maneuver to alternate redirect locations resembling Assist TDS and Disposable TDS.
 |
| Adjustments in habits over time from the 2 unbiased C2 units |
Infoblox’s evaluation of 4.5 million DNS TXT report responses from compromised web sites over a six-month interval has revealed that the domains that had been a part of the DNS TXT report campaigns could possibly be labeled into two units, every with its personal distinct command-and-control (C2) server.
“Each servers had been hosted in Russian-connected infrastructure, however neither their internet hosting nor their TXT responses overlapped,” the corporate mentioned. “Every set maintained totally different redirect URL buildings, despite the fact that they each initially led to VexTrio and subsequently to the Assist TDS.”
Additional proof has uncovered that each Assist TDS and Disposable TDS are one and the identical, and that the providers loved an “unique relationship” with VexTrio till November 2024. Assist TDS, which traditionally redirected visitors to VexTrio domains, has since shifted to Monetizer, a monetization platform that makes use of TDS know-how to attach internet visitors from writer associates to advertisers.
“The Assist TDS has a powerful Russian nexus, with internet hosting and area registration continuously performed by way of Russian entities,” Infoblox mentioned, describing the operators as presumably unbiased. “It doesn’t have the full-blown performance of the VexTrio TDSs and has no apparent industrial ties past its eerie connections with VexTrio.”
VexTrio is one among the many many TDSs which were outed as industrial adtech companies, the others being Companions Home, BroPush, RichAds, Admeking, and RexPush. Many of those are geared in direction of push notification providers by making use of Google Firebase Cloud Messaging (FCM) or Push API-based custom-developed scripts to distribute hyperlinks to malicious content material by way of push notifications.
“Lots of of 1000’s of compromised web sites world wide yearly redirect victims to the tangled internet of VexTrio and VexTrio-affiliate TDSs,” the corporate mentioned.
“VexTrio and the opposite affiliate promoting corporations know who the malware actors are, or they not less than have sufficient data to trace them down. Most of the corporations are registered in nations that require a point of ‘know your buyer’ (KYC), however even with out these necessities, publishing associates are vetted by their buyer managers.”