The threat actors behind the VexTrio Viper Traffic Distribution Service (TDS) have now been linked to other TDS services. These include Help TDS and Disposable TDS, indicating a sprawling enterprise designed to distribute a wide range of malicious online content. Infoblox has stated that VexTrio is a group of malicious adtech companies that distribute scams and harmful software via different advertising formats. Some of the malicious adtech companies under VexTrio Viper include Los Pollos, Taco Loco, and also the company known as Adtrafico. These companies operate a commercial affiliate network that connects malware actors with so-called “advertising affiliates” who offer various illicit schemes.
A notable component of these attacks is the compromise of many WordPress websites to inject malicious code that initiates the redirection chain.
These specific scripts redirect site visitors to various scam pages through the traffic broker networks that are associated with VexTrio. “These scripts redirect site visitors to various scam pages through traffic broker networks associated with VexTrio,” GoDaddy noted in a recent report. VexTrio’s operations suffered a significant blow around mid-November 2024 after a report revealed that Los Pollos was part of VexTrio. This exposure then caused Los Pollos to cease their push link monetization, which triggered an exodus of many different threat actors.
Infoblox’s analysis of 4.5 million DNS TXT record responses has revealed that the domains could be classified into two distinct sets.
Each of these sets maintained different redirect URL structures, even though they both originally led to VexTrio and subsequently to Help TDS. Further evidence has now uncovered that both Help TDS and Disposable TDS are actually one and the same service. They enjoyed an “exclusive relationship” with VexTrio until November 2024, when Help TDS then shifted its traffic to Monetizer. The Help TDS has a strong Russian nexus, with hosting and domain registration frequently done via various different Russian entities.
VexTrio is one among the many TDSs that have been outed as commercial adtech firms, with others being Partners House and RichAds. Many of these are geared towards push notification services by making use of Google Firebase Cloud Messaging or other custom-developed scripts. Hundreds of thousands of compromised websites around the world every year redirect victims to the tangled web of VexTrio. VexTrio and the other affiliate advertising companies know who the malware actors are, or they have enough information to track them. Many of these companies are registered in countries that require some degree of ‘know your customer’ or KYC compliance for their operations.
Reference:
