Utilization of WordPress Platforms in Malicious Activities: An In-Depth Analysis of VexTrio and Its Global Scam Network Operations

The VexTrio Viper Traffic Distribution Service (TDS) is part of a broader network of malicious actors engaged in the distribution of harmful content through various adtech channels, including Help TDS and Disposable TDS. This operation represents a sophisticated cybercriminal enterprise aimed at disseminating malware and fraud.

VexTrio encompasses several malicious adtech entities such as Los Pollos, Taco Loco, and Adtrafico, all part of a commercial affiliate network. This network connects malware distributors—also referred to as publishing affiliates—with illicit advertising affiliates who facilitate various scams, including gift card fraud and phishing schemes.

The methodology employed by these malicious traffic distribution systems involves redirecting victims through SmartLinks and direct offers. For instance, Los Pollos attracts malware distributors with high-paying offers, while Taco Loco focuses on push monetization, working with advertising affiliates to enhance their reach.

A significant aspect of these attacks is the compromise of WordPress websites, where malicious code is injected to initiate a redirection chain that ultimately leads users to VexTrio’s scam operations. Notable injection methods include Balada, DollyWay, Sign1, and campaigns exploiting DNS TXT records.

According to analysis by GoDaddy, the scripts deployed in these attacks redirect site visitors through networks associated with VexTrio, one of the largest known cybercriminal affiliate networks utilizing advanced DNS techniques and domain generation algorithms to spread malware globally.

In November 2024, VexTrio’s operations faced disruption when Qurium disclosed the affiliation between Los Pollos and VexTrio, leading to a cessation of their push link monetization. This exposure forced many threat actors reliant on Los Pollos to seek alternative redirection channels, notably Help TDS and Disposable TDS.

Infoblox’s investigation of DNS TXT record responses from compromised domains indicated that the related command-and-control (C2) servers were hosted within Russian-connected infrastructure. Both servers demonstrated distinct redirect URL structures, although both ultimately routed traffic to VexTrio and subsequently to Help TDS.

Evidence suggests that Help TDS and Disposable TDS function as a singular entity with a historically exclusive relationship with VexTrio until late 2024. Following this period, Help TDS began directing traffic towards Monetizer, a platform that connects publisher affiliates with advertisers using TDS technology.

Infoblox further elaborates on the Russian connection of Help TDS, indicating that operations often involve Russian entities for hosting and domain registration. While Help TDS lacks the comprehensive functionality of VexTrio’s systems, it maintains notable ties to them.

VexTrio is among numerous TDSs categorized as commercial adtech firms, alongside others such as Partners House, BroPush, and RichAds. Many of these organizations focus on push notification services, leveraging Google Firebase Cloud Messaging (FCM) or custom scripts to deliver malicious links through push notifications.

Each year, countless compromised websites worldwide funnel victims into the expansive network of VexTrio and its affiliate TDSs. These entities possess substantial visibility into the identities of malware actors, equipped with sufficient information to trace them. Many of the associated companies operate in jurisdictions mandating ‘know your customer’ (KYC) compliance, allowing for effective vetting of publishing affiliates.