In the shadowy corners of the internet, a troubling alliance festers—one between WordPress hackers and a sophisticated adtech-driven malware network. In this investigative report, Infoblox Vice President of Threat Intelligence Renée Burton exposes the eerie and evolving relationship between these threat actors and a powerful Traffic Distribution System (TDS) linked to the infamous VexTrio cabal. What began as a disruption experiment quickly unraveled a web of shared infrastructure, Russian affiliations, and commercial adtech enablers. This research underscores how deeply embedded cybercriminal operations have become in the fabric of digital advertising—and how DNS telemetry may be the key to unraveling them.
Removing one attack tactic doesn’t always eliminate the entire threat. However, when malicious activity resumes, DNS telemetry combined with expert-driven analytics reveals relationships between presumed unrelated actor groups. This Infoblox research presents seemingly coordinated activity between two actor groups: WordPress hackers and multiple Traffic Distribution System (TDS) operators related to actor VexTrio. It highlights the persistent threat from large underground cybercriminal ecosystems and their continuous adaptation.
Disruption leads to new findings
What started out as an observational study—perturb VexTrio and see how they adapt—led to a series of surprising revelations. When their TDS was disrupted, multiple malware actors that depended on it all migrated to a different TDS, and they all made the same choice. Originally thought to be an independent TDS, Infoblox found evidence that suggested otherwise. Several commercial TDSs were discovered to share software elements with VexTrio and all benefit from VexTrio’s long, exclusive relationship with website malware actors. Finally, it became clear that the use of commercial adtech and understanding of the DNS techniques behind it could be the downfall of dominant malware campaign operators, as the adtech firms can help identify them.
“The identified relationships between website hackers and VexTrio cabal pose significant dangers. First, it highlights the ongoing threat from organized crime and their ability to adapt rapidly. Secondly, the scale of these attacks is significant.”
Renée Burton, Vice President of Threat Intelligence, Infoblox
Reveal with DNS Telemetry and Threat Expertise
By analyzing 4.5 million DNS TXT record responses from compromised websites over a six-month period, Infoblox Threat Intel discovered two distinct command-and-control (C2) servers hosted within Russian-related infrastructure. These findings provide insight into DNS malware campaigns structure. The DNS TXT campaign actors changed their operations after revelations about VexTrio commercial entities, but before their domains were reported to hosting firms, and suggested a coordinated shift to a seemingly new system known as Help TDS. Further investigation revealed that Help TDS was not new and could be connected with VexTrio in several ways.
Digging further, many other TDSs were uncovered that shared a surprising number of characteristics with VexTrio, including several commercial adtech firms, like Partners House, Bro Push, and RichAds. When adtech providers like Los Pollos push monetization ended, we discovered an increase in fake captchas from other commercial adtech firms, like Partners House. While the relationship of these commercial entities remains a mystery, they are certainly long-time partners. These TDS redirect traffic to one another and they all have a Russian nexus, but there is no overt common ownership.
A Persistent Threat
The identified relationships between website hackers and VexTrio cabal pose significant dangers. First, it highlights the ongoing threat from organized crime and their ability to adapt rapidly. Secondly, the scale of these attacks is significant. Adtech platforms use extensive infrastructures capable of delivering crafted payloads to millions of users while utilizing personal data to route the ideal bait. Lastly, this ecosystem targets thousands of legitimate websites using WordPress or other content management systems, affecting the brand and reputation of the organizations they represent.
Tracking the malware actors and their campaigns via adtech
The malware actors’ choice to use commercial adtech could be their Achilles heel. As we uncovered the relationships between the website hackers and the VexTrio cabal, we realized that unique identifiers for each malware operator exist for each of the companies.
These malware hackers vet network affiliates before allowing them to join, and they maintain personal information about the affiliates and their payments that could lead to their identities. The true test will be the adtech operators’ willingness to turn in malicious actors who haunt the internet and have stolen untold money from victims worldwide.
Read more about the actor tactics, relationships and discovery timelines in our extensive report.
Bio of Author
Dr. Burton is the Vice President of Threat Intel for Infoblox. She is a subject matter expert in DNS-based threats and leads the algorithm development and research in DNS intelligence.
