{
	"id": "9005b55a-86a2-4cb9-b52c-995e35fe1de9",
	"created_at": "2026-04-06T00:22:00.537843Z",
	"updated_at": "2026-04-10T03:24:15.672205Z",
	"deleted_at": null,
	"sha1_hash": "a8d9922c6d919867e25b1c397ab9ba497e199694",
	"title": "VexTrio's Affiliation with Website Malware Actors - Infoblox Threat Intel",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6024167,
	"plain_text": "VexTrio's Affiliation with Website Malware Actors - Infoblox Threat\r\nIntel\r\nBy Infoblox Threat Intel\r\nPublished: 2025-06-12 · Archived: 2026-04-05 17:49:28 UTC\r\nExecutive Summary\r\nWhat started out as an observational study—perturb VexTrio and see how they adapt—led to a series of surprising\r\nrevelations. When their traffic distribution system (TDS) was disrupted, multiple malware actors that depended on it all\r\nmigrated to a “new” TDS, but it was the same TDS! Originally thought to be an independent TDS, we found evidence that\r\nsuggested otherwise. Several commercial TDSs were discovered to share software elements with VexTrio and benefited from\r\nVexTrio’s long, exclusive relationship with website malware actors. Finally, it became clear that the use of malicious adtech\r\ncould be the downfall of dominant malware campaign operators, as the VexTrio cabal can identify them.\r\nOn November 13, 2024, Qurium researchers exposed that the Swiss-Czech adtech company Los Pollos was part of VexTrio,\r\nthe largest and oldest known malicious TDS. Qurium made this connection after discovering that the Russian disinformation\r\nactor Doppelganger was using Los Pollos “smartlinks” in their operations. A few days later, we coordinated with Qurium\r\nand released a set of domains to a variety of security industry partners. We hoped this one-two punch would temporarily\r\ndisrupt VexTrio and that we could gain a better understanding of their relationship to website malware actors by watching\r\nthem recover.\r\nhttps://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nPage 1 of 28\n\nWe didn’t have to wait long for a response. On November 17, Los Pollos announced that they would halt their so-called\r\npush link monetization; users were told that these links would deactivate “soon.” But what does that really mean? As it\r\nturned out, within a few days, compromised websites all over the world that had been exploited with different WordPress\r\nvulnerabilities and ostensibly by different malware actors, were updated in exactly the same way. For example, researchers\r\nat GoDaddy detailed how DollyWay, a malware that has consistently redirected victims to VexTrio throughout its eight\r\nyears of activity, suddenly stopped doing so on November 20, 2024 and began routing visitors to what appeared to be a new\r\nTDS, dubbed the Help TDS.\r\nBut DollyWay was not the only one that changed to direct victims to the Help TDS. Since late-2015, many different\r\nmalware strains infected WordPress sites and redirected visitors to VexTrio. In their 2024 annual report, GoDaddy found that\r\nnearly 40 percent of compromised websites that redirected visitors sent them to VexTrio via Los Pollos smartlinks. These\r\ncompromises led to several types of website injections, including those GoDaddy refers to as Balada, DollyWay, and Sign1,\r\nas well as unnamed injection campaigns. By the end of November, all these actors, which previously led to VexTrio, began\r\nusing Help TDS, or halted their operations altogether.\r\nLos Pollos had shuttered their push monetization, but they are just one entity in a sprawling criminal enterprise that makes\r\nup VexTrio. Had VexTrio really thrown in the towel? We needed to determine whether Help TDS was independent.\r\nNaturally, we turned to DNS as a primary source for our research.\r\nhttps://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nPage 2 of 28\n\nhttps://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nPage 3 of 28\n\nTo study how malware actors adjusted to the disruption and changed to the Help TDS, we considered a specific type of\r\nWordPress compromise. These campaigns used DNS TXT records as a mechanism for command and control (C2), a\r\ntechnique in which the C2 server encodes a URL in a TXT record and the compromised site redirects to that URL. The DNS\r\nquery contains encoded information about the website visitor in the hostname, which allows the C2 server to determine how\r\nto respond.\r\nBy analyzing 4.5 million DNS TXT record responses from compromised websites covering a six-month period (that\r\nincluded November 17) we discovered that the domains used in the DNS TXT record campaigns fell into two distinct sets,\r\neach with a distinct C2 server. Both servers were hosted in Russian-connected infrastructure, but neither their hosting nor\r\ntheir TXT responses overlapped. Each set maintained different redirect URL structures, even though they both originally led\r\nto VexTrio and subsequently to the Help TDS. These findings shed new light on the DNS TXT malware campaigns that\r\nwere not previously reported and provided further evidence that a coordinated move to the Help TDS occurred in multiple,\r\nseemingly independent, malware campaigns after the November 17 announcement.\r\nWe then dug into the Help TDS and its relationship to VexTrio. It turned out that Help TDS is not new but has been\r\nintertwined with VexTrio for years. GoDaddy researchers had highlighted that Help resembled another TDS they had called\r\nthe Disposable TDS; this too has long been interwoven with VexTrio. Our results indicate that the Disposable and Help\r\nTDSs are one and the same, and that they had a seemingly exclusive relationship with VexTrio until November.\r\nDigging further, we uncovered many other TDSs that shared a surprising number of characteristics with VexTrio. These\r\ncharacteristics include common files and URL structure that hint at the possibility of a shared code lineage. While the\r\nidentity of the Help TDS operator remains elusive, we unmasked many commonly seen TDSs as commercial adtech firms,\r\nincluding Partners House, BroPush, and RichAds. As Los Pollos push monetization ended, we’ve seen an increase in fake\r\nCAPTCHAs that drive user acceptance of push notifications, particularly from Partners House. The relationship of these\r\ncommercial entities remains a mystery; while they are certainly long-time partners redirecting traffic to one another, and\r\nthey all have a Russian nexus, there is no overt common ownership.\r\nThe malware actors’ choice to use commercial adtech could be their Achilles heel. As we uncovered the relationships\r\nbetween the website hackers and the VexTrio cabal, we realized that unique identifiers for each malware operator exist for\r\neach of the companies. These firms vet network affiliates before allowing them to join—we know, we’ve tried—and they\r\nmaintain personal information about the affiliates and their payments that could lead to their identities. The true test of\r\nwhether they are abused services will be their willingness to turn in the malicious actors who haunt the internet and have\r\nstolen untold money from victims worldwide.\r\nA Little Lingo\r\nThis paper relies on understanding some terminology that originates in the advertising world. Most importantly, a TDS is\r\nessentially a smart routing system for directing website visitors to content. This blog on how TDSs deliver malicious content\r\nand this one on the malicious adtech industry provide more background and terminology on the topic.\r\nTo briefly recap: a malicious TDS is one that is designed to deliver harmful content to users, whether that be malware, like\r\ninformation stealers, or scams. For example, when a malware operator compromises a website, they want to maximize their\r\nhttps://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nPage 4 of 28\n\nprofits and hide their activity; redirecting visitors through a TDS accomplishes both of those goals. A TDS is said to “cloak”\r\na domain, or a domain is said to be “cloaked,” when its malicious nature is hidden from users.\r\nA TDS can be simple and controlled by the malware operator. They could design their own, as it is believed SocGholish has\r\ndone, or they could use a commercial tracker which can be leveraged as a TDS, like Keitaro. But if they want website\r\nvisitors to see a wide variety of potential content, directing the user traffic through a commercial affiliate network, like Los\r\nPollos, is a smart strategy. While the industry term for the delivered content is “advertisements,” the content they deliver\r\nrarely resembles common advertisements.\r\nFigure 1 shows a high-level view of how affiliate advertising networks are used by website malware actors and many others.\r\nThe malware distributors are technically “publishing affiliates” of the network, which will typically pay them based on\r\n“actions” that the visitor, better referred to as victim, will take, including providing email or credit card information. The\r\nadvertisers themselves are malicious actors and their content is designed for deception. They are sometimes called\r\nadvertising affiliates or partners.\r\nFigure 1. A high-level picture of the role of affiliate networks in malicious adtech\r\nWe consider malicious adtech to be commercial operators who consistently deliver malicious content. In most cases, these\r\nfirms have a closed advertising pool; unlike Google advertising, they cannot claim they were duped. Instead, they boast to\r\nprospective publishing affiliates about their highly effective advertising, called offers.\r\nMalicious adtech often consists of multiple companies that service different parts of the industry. For instance, Los Pollos\r\nrecruits publishing affiliates with promises of high-paying offers, while their sister company Taco Loco specializes in push\r\nmonetization and recruits advertising affiliates, including those from Los Pollos. This combination ensures that VexTrio, the\r\ncontroller of both firms, maximizes profits.\r\nThe way malware operators like those deploying the DollyWay campaigns integrate with malicious adtech is through a\r\nsingle link. That link, called a smartlink or direct offer, drives traffic into the adtech TDS. The final content is often\r\nreferred to as verticals with benign names like “mainstream dating” and “sweepstakes;” these are scams, fake apps, or\r\nmalware download sites.\r\nhttps://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nPage 5 of 28\n\nDNS TXT Record Campaigns\r\nOur initial research started from a specific WordPress malware that we track via DNS.\r\nDNS TXT records were designed to support online mail operations, but have long been used for other purposes, good and\r\nbad. Many actors over the years have encoded a “next stage” response for a piece of malware, turning the authoritative DNS\r\nname server into a rudimentary C2 server. WordPress malware campaigns that leveraged DNS TXT records in this way to\r\nredirect victims to VexTrio were first reported by Sucuri in August 2023.\r\nIn these campaigns, the threat actors used malicious scripts to look up DNS TXT records that contained a Base64-encoded\r\nURL. The scripts would redirect the visitor based on those responses. Several months later, Sucuri identified a switch by\r\nthe actors to server-side redirection. We also published findings on these campaigns in collaboration with Randy McEoin in\r\nJanuary 2024.\r\nGoDaddy’s 2024 annual report found that nearly 25,000 websites were infected with this malware and they noted that\r\n“evolution throughout 2024 demonstrated increasing complexity, particularly in its shift from client-side JavaScript\r\ninjections to stealthier server-side PHP redirects in March.” They further emphasized that these changes were done with an\r\neye toward operational security and “Perhaps most notably, the campaign maintains persistence through automated bot\r\nnetworks that actively monitor and reactivate disabled malicious plugins, making complete removal particularly\r\nchallenging.”\r\nOur analytic systems track the communication between the compromised websites and the C2 servers through DNS,\r\nallowing us to identify new C2 servers and redirects as they come online. We also use these detections to understand the\r\nhistorical connections between the C2 servers and the redirects. Through monitoring DNS queries, we’ve been able to find\r\nsites for which there was no public evidence of the compromise. Additionally, we made ourselves victims of many sites and\r\ntracked the lingering impacts on our devices.\r\nIn a longitudinal study of DNS TXT record queries and responses over six months, August to December 2024, we assessed\r\nhow the Los Pollos decision to halt their “push monetization” offering impacted the malware operations. The last date we\r\nobserved a TXT record response that led to VexTrio was November 21, 2024, after which they redirected victims to the\r\nHelp TDS. We focused on three major questions about the threat actors deploying the DNS TXT record malware:\r\nHow did the C2 domains relate to the redirection URLs?\r\nHow did the C2 behavior change in late November?\r\nHow might this impact VexTrio?\r\nC2 Clusters\r\nAn analysis of over 4.5 million DNS queries revealed that there are two distinct sets of C2 servers. While all of these led to\r\nVexTrio prior to their operational changes, the two C2 sets used different hosting, redirected to distinct domains, and utilized\r\nseparate URL formats. Figure 2 shows the C2 servers and the domains observed in the redirections that were stored in the\r\nDNS TXT records.\r\nhttps://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nPage 6 of 28\n\nFigure 2. C2 responding with redirect domains in DNS TXT\r\nThe redirections from the DNS TXT records all lead to a TDS. Based on our research, we can group the URLs into five\r\ndistinct types, two of which were first seen on, or after, November 20, 2024 (see Table 1).\r\nURL parameter Notes\r\npl=\r\nParameters like this example. These are classic VexTrio URLs that lead to fake\r\ncaptchas and requests for push monetization.\r\nid=\r\nParameters like this example. These traditionally redirected to URLs with pl=\r\nparameters, but were later seen directing victims to other TDSs, like this example.\r\nutm_campaign= This example\r\nNo parameter This example and this example.\r\nhttps://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nPage 7 of 28\n\nURLs with no parameter and\r\ncontaining the /help/ path\r\nSeen briefly in December 2024.\r\nTable 1. The URL parameters observed in TXT records responses from malicious nameservers used in DNS TXT\r\ncampaigns between August and December 2024\r\nNotably for these TXT record campaigns, not only the domains but also the TDSs divide into distinct sets, meaning that\r\ndifferently formatted URLs are seen in each group. However, they all led to VexTrio prior to November 20, sometimes\r\nthrough a second redirection. The affiliates associated with this TXT record malware have been around for some time. Set\r\n#1 has user id pe7k605 in Los Pollos smartlinks and was first seen in May 2019. Set #2 uses the push link URL format with\r\npl parameter CHiI7Gh3GUyTa8XGgNqDyQ and was first seen in August 2023.\r\nThe C2 sets also used distinct hosting. In Table 2, we show hosting information based on historical DNS records for this\r\ndataset. The full set of C2s and redirect domains observed over the past few years is larger.\r\nC2 Domains Server IPs Redirect Domains URL Format\r\ncndatalos[.]com\r\ndata-cheklo[.]world\r\ndata-infox[.]com\r\n46[.]30[.]45[.]27\r\n65[.]108[.]195[.]250\r\nknowableuniverse[.]co\r\ndeidrerealestate[.]co\r\nmsgdetox[.]com\r\nparticipates[.]cfd\r\n?id=/help/?\r\nairlogs[.]net\r\ncloud-stats[.]com\r\ncdn-routing[.]com\r\nlogs-web[.]com\r\nwebdmonitor[.]io\r\n185[.]11[.]61[.]37\r\n185[.]234[.]216[.]54\r\n185[.]161[.]248[.]253\r\n95[.]216[.]232[.]139\r\n95[.]216[.]232[.]139\r\nbetelgeuserigel.com\r\nvipbonusgain.top\r\ninfosystemsllc[.]com\r\nadflowtube[.]com\r\necomicrolab[.]com\r\nlookup-domain[.]com\r\ndns-routing[.]com\r\nweb-hosts[.]io\r\n?pl=?utm_campaign?\u003crand\u003e\r\nTable 2. Relationships between C2 domains, server IP addresses, and redirect domains in DNS TXT record responses\r\nobserved in the period August to December 2024\r\nC2 Behavior Changes\r\nDespite independent hosting and redirects, both sets of DNS TXT C2 servers changed their behavior in the same way, albeit\r\nat slightly different times. Figure 3 shows how a visitor to a compromised website would be led to malicious content over\r\nhttps://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nPage 8 of 28\n\ntime.\r\nFigure 3. Changes in behavior over time from the two independent C2 sets\r\nFigure 3 shows us that following the announcement from Los Pollos that push link monetization would cease, the two C2\r\nservers changed the DNS TXT responses to send victims to the Help TDS, either directly or indirectly. One set (the one\r\nincluding data-cheklo[.]world), stopped responding between November 22 and December 6. It was later seen on a new\r\nserver, 46[.]30[.]45[.]27, in the provider Iron Hosting. The second C2 also changed hosting, but to Chang Way\r\n185[.]11[.]61[.]37.\r\nThere are a few exceptions. We saw limited instances where the Iron Hosting server bypassed the Help TDS and instead\r\nredirected victims directly to Vane Viper, which delivered malware. Further, GoDaddy researchers have reported rare cases\r\nhttps://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nPage 9 of 28\n\nwhere the DNS TXT malware sent victims to a different compromised site and subsequently redirected to a tech support\r\nscam.\r\nAs of late December, the smaller C2 set containing data-cheklo[.]world appears to have been shut down. However, the larger\r\nset containing webdmonitor[.]io continues to send victims to the Help TDS and malicious content through May 2025.\r\nThe DNS records show that the two C2 servers are likely operated by independent groups, although they are coordinated in\r\nthe malware and the content they serve. GoDaddy reported that the DollyWay malware actor converted to the Help TDS on\r\nNovember 20, the same day that the first TXT C2 server set did. Although there are indications of independent operations,\r\nthere are also clear signs of coordination.\r\nWhat is this Help TDS? And given the many options for affiliate marketing programs, why did the hackers all choose the\r\nsame TDS?\r\nNothing New Under the Sun\r\nLos Pollos stopped push monetization, but Los Pollos is just one small piece of VexTrio. We suspected that the Help TDS\r\nwas somehow connected to VexTrio, and we were right. Not only was the Help TDS intrinsically linked to VexTrio, but we\r\nwere also able to tie VexTrio to other mysterious TDSs that have been active in the environment for several years. GoDaddy\r\nresearchers had speculated that the Disposable TDS had evolved into the Help TDS, but they are more like siblings; all these\r\nTDSs ran concurrently and shared characteristics. We can demonstrate these connections “six ways to Sunday,” as they say,\r\nbut we will only be publicly disclosing a small set of evidence.\r\nLet’s take a look at the relationship between the different URL forms we’ve seen in the DNS TXT responses over time.\r\nTDS Behavior over Time\r\nThough it seemed to appear out of nowhere, the Help TDS is not new at all: it has been around since at least 2017. While\r\nthis TDS is now redirecting users through the Monetizer TDS, we found many past instances where the Help TDS redirected\r\nto VexTrio. Figure 4 shows the TDS behavior based on redirect URL patterns as well as sample scans that show the\r\nhttps://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nPage 10 of 28\n\nrelationship between the TDSs at different times.\r\nFigure 4. Transition of TDS redirection behavior over time from the three major URL forms seen in compromised websites’\r\nDNS TXT record responses\r\nGoDaddy had reported that before DollyWay malware actors adopted VexTrio’s Los Pollos links, the malware actor had\r\nexclusively used the Disposable TDS. The URLs for Disposable TDS had the format:\r\n\u003crandom_label\u003e.\u003ctld\u003e/index/?\u003cnumbers\u003e\r\nThe TLDs were managed by Freenom and were offered for free, including tk, gq, and cf.\r\nWe almost immediately located sample redirection chains that connected the Disposable TDS to VexTrio as well. The scan\r\nin Figure 5 included redirection from the disposable TDS to a Los Pollos smartlink, but also included an early version of the\r\nHelp TDS format using the Disposable TDS domains. From there, we isolated several other samples that showed the same\r\nrelationships.\r\nhttps://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nPage 11 of 28\n\nFigure 5. Redirection from the Disposable TDS to a Los Pollos smartlink. Source: https://urlscan.io/result/4bcef7a1-8188-\r\n4fe1-ab93-bd303803791a/\r\nHistorical scan records allow us to connect the WordPress malware actors across their shift from VexTrio smartlinks to\r\nMonetizer in late November 2024. In the example redirection from Figure 5, the domain co34[.]space is used for a VexTrio\r\nsmartlink for the Los Pollos affiliate identified by the parameter u=b1tk60t. But this URL also includes custom affiliate-established parameters: t, used for campaign names; and cid, a click id for postbacks.1\r\n The format of the values for those\r\nparameters is identical to modern Monetizer URLs like this one:\r\nhXXps://somenth[.]bilitere[.]shop/?utm_medium= {traffic_source_id}\u0026utm_campaign=cid:11005\u0026cid=11005-14814-\r\n202505160707555c5e\r\nwhich is connected to WordPress malware campaigns.2 It appears that the Los Pollos custom tracker (t=) value cid:11005 is\r\nassociated to the larger DNS TXT record set that includes ecomicrolab[.]com. Within the Monetizer network, the same\r\nthreat actor has an affiliate source id (utm_medium=) 9eb2bcdc89976429bc64127056a4a9d5d3a2b57a. The first example of\r\na Monetizer URL formatted in this manner we have observed coincided with the change of adtech providers in November\r\n2024.\r\nOnce you’ve seen a handful of samples like this, it begs the question of just how strong the relationship is between the Help,\r\nDisposable, and VexTrio TDSs. When we say VexTrio TDS here, we are referring to several different TDSs operated by the\r\nVexTrio enterprise. Beyond Los Pollos, which was revealed in publications by Qurium and GoDaddy, as well as social\r\nmedia posts by us, VexTrio controls other adtech companies and the TDSs that enable their operations. These include Taco\r\nLoco and Adtrafico.\r\nDNS Connections between Multiple TDSs\r\nIt turns out there are DNS connections between the VexTrio TDS and the other malicious TDSs. But determining whether\r\nthe relationship is due to presence in the TDS or a relationship with the affiliate can be challenging. Affiliate advertising\r\nprograms like Los Pollos and Monetizer allow for the use of custom domains, which are owned by the affiliate rather than\r\nthe company. This can be done via DNS CNAME records or DNS A records. While this allows us to track the relationship\r\nwith an affiliate and different TDSs, unfortunately, it also obscures the true nature of the relationship between the domain\r\nowner and the TDS.\r\nWe have seen custom domains overlap in a few different ways. In some cases, the domain owner assigns a hostname to the\r\naffiliate program. For example, the domain owner of oktrkme[.]com, which we believe is owned by a Mexican marketing\r\nagency, appears to have been an affiliate of both Los Pollos and Monetizer. The domain name date[.]oktrkme[.]com was\r\nseen resolving in the IP address space controlled by VexTrio, while the domain name mnz.oktrkme[.]com resolved to\r\nMonetizer IP addresses in late April 2025.\r\nWhile oktrkme[.]com seems to be owned by an affiliate, others are more complicated. The domain purinagun[.]ru was\r\nregistered in April 2024 through the Russian Registrar (reg[.]ru) and was used in both Los Pollos smartlinks and the Help\r\nTDS. In this case, no hostnames are involved, but it is possible there was a DNS CNAME assignment at the time, making it\r\nimpossible to validate from DNS alone whether the domain was directly controlled by both TDS operators. Shared IP\r\naddresses between purinagun[.]ru and pacocha[.]shop create another similar connection between the two TDSs. And a third\r\ndomain, prefez[.]shop, draws in a third TDS that we had dubbed the News TDS, which we now know is controlled by the\r\ncommercial adtech firm Partners House (see Figure 6).\r\nhttps://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nPage 12 of 28\n\nFigure 6. The relationship between select domains seen in TDS URLs and the TDS\r\nThe reuse of domains across different TDSs complicates analysis of the underlying relationship between the TDSs\r\nthemselves, but it does provide an effective mechanism to tie affiliate actors, such as those compromising websites, over\r\ntime. In this case, we can tie together:\r\nThe Los Pollos affiliate with id u=bt1k60t and u=zt2kd0d\r\nPartners House affiliate with id 1003455\r\nMonetizer affiliate id 9eb2bcdc89976429bc64127056a4a9d5d3a2b57a\r\nWe can see that malware actors have adopted a small set of TDSs consistently over time, but is there more to be learned\r\nabout the relationship between the TDS themselves? We went back to the Help TDS to look for answers.\r\nHelp TDS Affiliations\r\nThe Help TDS emerged on our radar when Los Pollos stopped their push monetization offering in late November 2024, but\r\nthey have been present in the environment since at least November 2017. We saw from sample data that several TDSs had\r\ninteractions with each other over time, as we showed earlier in Figure 4. What other affiliations exist?\r\nhttps://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nPage 13 of 28\n\nTo understand how the Help TDS has interacted with other known threat actors, we considered approximately 10,000\r\nwebsite interactions over the last six years that included Help TDS in a redirection chain. The visits could have resulted in a\r\ndecoy landing page, such as Google or TikTok, but they could also land at malicious content. We used every redirection seen\r\nin the scans and enriched that with our internal knowledge about DNS actors. Figure 7 is a summarized visualization of\r\nmore than 120,000 URL redirections and the known entities involved.\r\nFigure 7. Relationships between DNS actors or clusters of activity seen in scans that involve the Help TDS between\r\nNovember 2017 and May 2025. Labels in red are actors Infoblox considers malicious, orange are suspicious, and green are\r\nknown legitimate.\r\nFigure 7 illustrates the interactions between VexTrio, the Help TDS, the News TDS (Push House), and a handful of other\r\nadvertising and TDS operators over a long period of time. We also see some interactions by criminal actors like Horrid\r\nHawk, who are known for domain hijacking. Other DNS threat actors, some of which are TDS actors, that we track but have\r\nnot published, appear in the graph as well. Long historical relationships like those discovered in this analysis have helped us\r\nvalidate theories about TDS affiliations but also uncover several new TDS operators.\r\nhttps://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nPage 14 of 28\n\nA Common Codebase\r\nOnce we had established connections between several TDSs via compromised website redirections, we looked to see if we\r\ncould tie the TDSs together in more concrete ways. We were able to identify strong relationships between the Help,\r\nDisposable, and VexTrio TDSs through their historical use of scripts, images, and URL structure.\r\nIt turns out that the Help and the Disposable TDSs are essentially the same. At various points since 2017:\r\nThey both used rare sweepstake lure images that appear to be exclusive to a relatively small group of threat actors,\r\nincluding VexTrio.\r\nBoth of their servers hosted VexTrio-exclusive JavaScript that are important to the functionality of its sweepstake\r\nscams.\r\nThey both used the same URL structure and parameter names.\r\nFor most of its history, Help TDS has operated as a straightforward redirector, like Keitaro. However, we did find evidence\r\nthat several years ago, the TDS domains were simultaneously used to serve lure pages. Searching back to 2019, we\r\ndiscovered many instances of both Help TDS and Disposable TDS directly serving sweepstakes scam content. This included\r\nrare lure images that appear to be only used by a small group of entities, including VexTrio (see Figure 8).\r\nFigure 8. Rare sweepstake image lure used by VexTrio, Help, and Disposable TDSs\r\nThe websites that served the sweepstakes content even showed identical URL structures and parameter names between both\r\nTDSs. This indicates that both systems are using common technology. Figure 9 shows the identical URL pattern used by\r\nboth TDSs for serving scams to web visitors.\r\nhttps://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nPage 15 of 28\n\nFigure 9. Identical URL pattern between Help and Disposable TDSs\r\nIn combination with the rare lure images, both Help and Disposable TDSs executed two pieces of rare JavaScript. VexTrio is\r\nthe only other actor we have seen use these particular scripts. Furthermore, like VexTrio, Help TDS and Disposable TDS\r\nhost the scripts directly on their servers. This means that they are not merely running the code from a remote server but have\r\nfull possession of the scripts. The threat actors typically obfuscate the JavaScript to hinder analysis by security researchers\r\n(see Figure 10 for a simple interpretation of one). This script prevents a web user from navigating backward in their browser\r\nhistory (e.g., by clicking on the back button). Instead, the user will reload the current page in their browser instead of the\r\npreviously visited page.\r\nFigure 10. JavaScript prevents navigation to previous pages via the back button\r\nThe second script tries to detect when the victim is leaving the current webpage without clicking a link or submitting the\r\nscam form. Under such circumstances, the script will launch the confirmation message, “You are about to leave this page!”\r\nand then quickly reload the page after a short delay. The overall goal is likely to discourage or interrupt the user from\r\nleaving the page without participating in the scam (see Figure 11).\r\nhttps://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nPage 16 of 28\n\nFigure 11. JavaScript prevents page exit without participation in scam\r\nFor the past several years, Help TDS has redirected traffic to VexTrio and more recently Monetizer. The Help TDS has a\r\nstrong Russian nexus, with hosting and domain registration frequently done via Russian entities. It does not have the full-blown functionality of the VexTrio TDSs and has no obvious commercial ties beyond its eerie connections with VexTrio. On\r\nthe other hand, Help TDS and Disposable TDS are used extensively, if not exclusively, by website malware operators,\r\nincluding those who run the DNS TXT record campaigns and DollyWay.\r\nhttps://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nPage 17 of 28\n\nTDS Resource Connections\r\nWe expanded our relationship analysis to other TDSs that showed varying levels of similarity with VexTrio. The TDS\r\noperators left digital traces of their public personas in DNS, and we used that information to connect several TDSs to\r\ncommercial entities, including the News TDS.\r\nThe connections between these TDS are not limited to redirections within URLs from compromised sites; they also share\r\nseveral rare artifacts not found elsewhere on the internet. In the phishing landscape, threat actors commonly adopt phishing\r\ntoolkits used by other cybercriminals because it is relatively easy to upload the phishing web materials on a web-hosting\r\nservice and run a functioning website. On the other hand, operating a high-availability TDS is complicated; it requires a\r\ndeeper tech stack, such as clusters of web servers, web tracking systems, real-time bidding logic, affiliate payment models,\r\nand sometimes, advanced DNS configurations. While phishing kits are available for sale, the same is not true of TDSs and\r\nwe were surprised to find common TDS components across multiple commercial entities.\r\nWe have discovered a set of web resource files used by VexTrio TDSs and several others, including those run by the\r\ncommercial entities Partners House, BroPush, and RichAds. The resources are important dependencies for the TDS, such as\r\nenticing images for luring web users, JavaScript for tracking, or browser cookie installers. The rarity of these files suggests\r\nthat these firms share code lineage possibly through partnerships or common developers. We are not publicly releasing the\r\nfull details of these artifacts.\r\nThe files are utilized by approximately 20 distinct TDS networks even though there is little overlap in the structure of their\r\nrespective URLs, the company ownership, or hosting. Table 3 describes a subset of the systems that we identified, including\r\ntheir URL structure, parameter names, and parameter value descriptors.\r\nEstimated\r\nDeployment\r\nDate\r\nTDS Name\r\n/\r\nAttribution\r\nTDS URL Format Example TDS Domain\r\nMay 2019 BroPush\r\nhXXps://{domain}/?p=[a-z][0-9]{23}\u0026sub1=\r\n{source_id}\u0026sub2={site}\r\nrobotverifier[.]com\r\nMarch 2021 BroPush\r\nhXXps://{domain}/?auf=[a-z][0-9]+\u0026p=[a-z]\r\n{1,2}\u0026sub1={source_id}\u0026sub2={feed_name}\r\ndi4[.]biz\r\nJune 2023 BroPush\r\nhXXps://{domain}/?start=[12]\u0026s=[a-z]{1}\u0026t=\r\n{campaign_id}\u0026sub1={source_id}\r\nw-news[.]biz\r\nApril 2019\r\nVexTrio\r\nTacoLoco\r\nhXXps://{domain}/ (lure_name:eyes-robot|space-robot|blue-robot|office-robot\r\n|allow-button)/?pl=[a-z][A-Z]{22}\u0026sm=\r\n{subscribe_method}\u0026nrid={nrid}\u0026hash=\r\n{hash}\u0026exp={epoch_expiration}\r\nmvgde[.]mountbliss[.]top\r\nMarch 2017\r\nVexTrio\r\nLos Pollos\r\nhXXps://{domain}/?u=[a-z][0-9]{7}\u0026o=[a-z]\r\n[0-9]{7}\u0026t={campaign_name}\r\nscoretopprizes[.]top\r\nOctober\r\n2020\r\nVexTrio\r\nLosPollos\r\nhXXps://{domain}/smartlink/?a=[0-9]\r\n{6}\u0026sm=[0-9]{5}\u0026mt=[0-9]{2}\u0026s1=\r\n{tracker}\r\ncdsecurecloud-dt[.]com\r\nhttps://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nPage 18 of 28\n\nOctober\r\n2021\r\nUnknown\r\nhXXps://{domain}/[a-z0-9-]{43}/?clck=[a-z0-\r\n9]{32}\u0026sid=[0-9]{8}\r\nphenotypebest[.]com\r\nDecember\r\n2021\r\nAdmeking\r\nhXXps://{domain}/?lp=[a-z0-9]{6}\u0026actoken=\r\n[a-z0-9-]{36}\u0026sid={source_id}\r\nnews-abcd[.]cc\r\nDecember\r\n2018\r\nVexTrio\r\nTacoLoco\r\nhXXp://{domain}/(bot-check-[0-9]+| video-[0-\r\n9]+|adult-web[0-9]+|age-check-[0-9]+|porno-land-[0-9]+|checking-browser-[0-9]+)?h=[a-z=]{68}\r\ni8b[.]wstbaw[.]com\r\nAugust 2024\r\nPartners\r\nHouse\r\nhttps://{domain}/?fingerprint=[a-z0-9]{32}\u0026i=\r\n[0-9]{1}\u0026id=[0-9]{7}\u0026traceId={trace_id}\r\n702942e07c[.]hotbkebani[.]cc\r\nJuly 2022 BroPush\r\nhXXps://{domain}/go/[a-z0-9]{18}?sub2=\r\n{feed_name}\r\nsiteforyou3d[.]com\r\nNovember\r\n2019\r\ndisposable\r\nTDS\r\nhXXp://{freenom_domain}/index/?[0-9]\r\n{11,14}\r\nritardalarmser[.]gq\r\nMarch 2020 Help TDS\r\nhXXp://{domain}/index/?[0-9]\r\n{11,14}\u0026extra_param_1=[a-z][0-9]{20}\r\nf68wy7o9ezwwtqc1do[.]oscarey[.]my[.]id\r\nAugust 2024\r\nPartners\r\nHouse\r\n“news” TDS\r\nhXXps://{domain}/?drs=[0-9]+\u0026id=[0-\r\n9]+\u0026p1=[0-9]+\u0026p2=[0-9]+\u0026p3=[0-\r\n9]+\u0026traceId=[a-z0-9-]{36}\r\n0cc79f7666[.]news-xzomigu[.]cc\r\nJuly 2024\r\nPartners\r\nHouse\r\nhXXps://{domain}/click/ssp/?id=\r\n{base64_encoded_victim_details}\r\nepicclicks[.]net\r\nSeptember\r\n2019\r\nPartners\r\nHouse\r\nhXXps://{domain}/16/?site=1000619\u0026sub1=\r\n{site}\u0026sub2={hour}\u0026sub3={browser}\u0026sub4=\r\n{click_number}\r\nrpn-news3[.]club\r\nAugust 2022 RichAds\r\nhXXps://{domain}/?q={click_id}\u0026s=\r\n{traffic_source}\u0026var={u_id}\u0026geo={geo}\r\n6[.]lands[.]ninja\r\nFebruary\r\n2024\r\nRichAds\r\nhXXps://{domain}/cl?c=[0-9]{8}\u0026p=[0-9]\r\n{8}\u0026cid={click_id}\u0026sub1=[a-z0-9]{22}\r\nsweetrnd[.]net\r\nDecember\r\n2019\r\nRexPush\r\nhXXps://{domain}/(lure_name:adult_video_[0-\r\n9]{1}|check_age)/[0-9]{4}/[a-z0-9]{32}/?\r\nsub3={browser_info} \u0026sub2=\r\n{os_info}\u0026click_id={click_id}\r\nb9ab1[.]rpbuildit[.]xyz\r\nFebruary\r\n2017\r\nMonetizer /\r\nAdvertizer\r\nhXXps://{domain}/utm_medium=[a-z0-9]\r\n{40}\u0026utm_campaign=cid:[0-9]{5}\u0026\r\n{optional_params}\r\nsomenth[.]bilitere[.]shop\r\nTable 3. Different TDS URL structures that share rare artifacts and/or have been utilized by WordPress attackers for affiliate\r\nadvertising networks\r\nhttps://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nPage 19 of 28\n\nSharing Lures: By Design or Coincidence?\r\nThere is a common denominator among six different TDSs, including those that we confirmed as VexTrio, Partners House,\r\nand RichAds. In a large portion of their cyber campaigns, these systems all used the same set of template images for luring\r\nweb visitors into clicking a fake CAPTCHA button. The button deceptively gives permission to the advertising network to\r\nsend notifications to the victim’s browser at any time. All of the systems are operated by affiliate programs that specialize in\r\ndistributing links to content via push notifications. Figure 12 shows a set of image lures that are hosted directly on the six\r\nTDS servers. It is compelling that:\r\n1. The six TDSs share image lures that are not just visually identical, but their SHA256 file hash values match. This\r\nmeans that the images show the exact same size and dimensions, resolution, etc.\r\n2. A very small number of TDSs use these images as lures.\r\n3. In nearly all attack instances across the six TDSs, the images are named 1.png, 2.png, logo.png, bot.png, or man.png.\r\n4. All six TDSs use fraudulent methods for subscribing internet users to malicious push notification advertisements.\r\n5. All six TDSs are operated by large public affiliate networks that specialize in push advertising.\r\n6. These affiliate networks use similar methods and technologies for sending notifications to their subscribers (i.e.,\r\nvictims).\r\n7. The affiliate networks commonly run PowerDNS, an open-source software suite for managing DNS servers.\r\nlogo.png:\r\nman.png:\r\nrobot.png:\r\nFigure 12. PNG images used by push advertisement affiliate networks\r\nAfter we identified the six TDSs that share the common lure, we pivoted on their DNS and web signatures to find the rest of\r\ntheir lure templates. Virtually all the template images serve a false message that tricks users into subscribing to malicious\r\npush notifications. These messages are almost always related to a fake CAPTCHA test or access to enticing but non-existent\r\ncontent. Figure 13 is a collage we created using various “safe for work” lure images that were historically used by the six\r\nTDSs.\r\nhttps://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nPage 20 of 28\n\nFigure 13. Collection of non-offensive push notification templates used by VexTrio and closely related TDSs\r\nIdentification via DNS\r\nIn addition to the lure images, we analyzed JavaScript related to notification subscriptions and DNS patterns to identify the\r\npublic aliases associated with these TDSs. The networks use multiple systems that show different URL structures in HTTP\r\ntraffic. This variation challenges relationship analysis between the multiple TDSs. Figure 14 shows five different push\r\nadvertising affiliate programs that use various technologies but format their DNS resource names similarly. We used passive\r\nDNS and unique JavaScript to determine the identities of the TDS operators: Partners House, BroPush, VexTrio’s TacoLoco,\r\nREXPUSH, and RichAds.\r\nhttps://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nPage 21 of 28\n\nFigure 14. Adtech networks whose TDS share rare images, scripts, and DNS patterns\r\nWe also realized that both VexTrio and Partners House run PowerDNS, an open-source DNS server software, on their\r\nservers. Although PowerDNS does not explicitly identify itself in responses to network requests, we discovered indicators of\r\nits usage in the DNS SOA records of many VexTrio and Partners House TDS domains. Figure 15 shows the indicator\r\na.misconfigured.powerdns.server.hostmaster in a response to a DNS SOA query for the VexTrio TDS domain ospeau[.]com.\r\nThis occurs when the administrator loads a zone into PowerDNS and the zone contains domains with a missing or invalid\r\nSOA value. As a result of the threat actors’ server misconfigurations, we were able to identify several of their IP addresses\r\nassociated with PowerDNS.\r\nFigure 15. PowerDNS indicator in a DNS SOA response from VexTrio TDS\r\nCybercriminals rarely install and configure PowerDNS on their web servers; deploying it properly requires relatively high-level knowledge of DNS. Evidently, DNS is integral to VexTrio and Partners House’s cyber operations. PowerDNS is\r\nhttps://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nPage 22 of 28\n\ncapable of dynamically responding to queries for specific domain name patterns, which can be a powerful tool for a TDS\r\nthreat actor that aims to control the traffic to their infrastructure.\r\nPush Advertising Is Popular\r\nRichAds, BroPush, Partners House, VexTrio’s TacoLoco, and RexPush specialize in push advertisements. The backbone of\r\nthe adtech business is the push notification service. Between these firms, we detected two kinds of technologies used to\r\nfraudulently subscribe users to notifications. These services also enable the company to push notification messages to their\r\nvictims indefinitely until their subscription is terminated (i.e., browser notification permissions are removed). The first is\r\nsending notification messages via Firebase Cloud Messaging (FCM), a service provided by Google that allows developers to\r\npush notification messages to apps on Android, iOS, and the web. Pushing messages via FCM is a powerful distribution\r\nmethod because it bypasses security firewalls as victim browsers receive notifications from Google’s servers rather than the\r\nservers controlled by the threat actors. Second, affiliates have also used custom-developed scripts that leverage the Push\r\nAPI, a browser feature that enables web applications to receive notifications from a server.\r\nIn most instances, the script that subscribes users to the threat actor’s notification server (e.g., FCM, custom server) is hosted\r\non the TDS server. The operators typically complicate code analysis of the script by using open-source obfuscation tools\r\nsuch as obfuscator[.]io. Several years ago, VexTrio deployed content delivery network (CDN) servers to serve web resources\r\n(e.g., push subscription scripts) that are mission critical to their fraudulent push advertising activities. Figure 16 shows a\r\ncommon configuration in a VexTrio push subscription script. The CDN server cdn[.]jmp-assets[.]com has been in service for\r\nnearly two years and is still currently active. As of this writing, the domain jmp-assets[.]com is currently ranked in the top\r\n100,000 of all domains, according to VirusTotal. This underscores the threat actor’s broad attack distribution and access to\r\nscalable, high-capacity infrastructure.\r\nFigure 16. Critical VexTrio server domain configurations in push subscription code\r\nOne hard limitation of FCM is that it doesn’t have a built-in feature to directly track which users or devices are subscribed to\r\nspecific topics, nor can it serve a statistical history of previously sent messages. To overcome this, adtech operators such as\r\nVexTrio have implemented their own tracking mechanisms for keeping tabs on current subscribers and historical\r\nsubscriptions. Figure 17 shows custom code that VexTrio developed. This application sends information about the victim\r\n(e.g., browser language preference, system information, device type) and their unique FCM token id to a special, VexTrio-controlled tracking server (e.g., notification-centr[.]com). Subsequently, VexTrio uses all this information to send targeted\r\nadvertisements to the subscribed victims via push notifications.\r\nhttps://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nPage 23 of 28\n\nFigure 17. A VexTrio code function that tracks user push subscription activity\r\nAlthough these adtech firms are registered in different countries and appear to be commercially independent, the artifacts we\r\nhave disclosed here, and others we have not, indicate that the TDSs at the core of each company’s operation are intricately\r\nrelated. That said, the exact nature of their relationship is unclear. What is clear is that these enterprises are benefiting from\r\nand enabling a wide range of cybercrime, including the exploitation of millions of websites that feed victims into their lair.\r\nWho Are the TDS Operators?\r\nConnecting a TDS definitively to an adtech firm or other actor is tricky business, but we’ve identified quite a few.\r\nMapping TDS URL patterns to public affiliate network entities is uniquely challenging because so much of their\r\ninfrastructure is kept secret and hidden behind proxies (e.g., Cloudflare) or bulletproof hosting. For example, most affiliates\r\nof these advertising networks are unaware of their deeper-level business practices, let alone any notable fraction of their total\r\nhttps://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nPage 24 of 28\n\ndomain assets. Adtech operators typically share a small number of “front-end” TDS domains with their publisher affiliates.\r\nThey do not widely share information about mission-critical and central servers in the network. Additionally, they use a\r\ndiverse set of server software and URL parameters that make it extra difficult to group and categorize different TDSs under\r\none network label. Viewed holistically, the networks exhibit traits consistent with an advertising operation. Moreover, their\r\nuse of lookalike domains and script names that mimic advertising technology further obscure their activity within legitimate\r\nweb advertisement traffic.\r\nDespite these circumstances, we’ve achieved accurate identification thanks to the adtech operators’ habitual configuration\r\npractices in DNS, reuse of rare web artifacts, lack of clearing digital traces of their previous activities, and other IT shortcuts\r\nthat gave us opportunities to track and identify them. For example, we analyzed and grouped the TDSs by common\r\nsubdomain patterns, identical or highly similar push subscription scripts, as well as by linking their old domains in passive\r\nDNS to cached webpages promoting their public business names. Table 4 lists several public names of TDS operators that\r\nare either owned by VexTrio or appear to show close partnerships with them.\r\nOperators TDS Description\r\nVexTrio companies,\r\nincluding Los Pollos, Taco\r\nLoco, and Adtrafico\r\nVexTrio is a group of malicious adtech companies that distribute scams and harmful\r\nsoftware via different advertising formats, including smartlinks and push\r\nnotifications.Example params:\r\nu=, o=, pl=\r\nPossibly independent\r\noperator in VexTrio circle;\r\nIdentity unknown\r\nHelp TDS and Disposable TDS run Keitaro software on their servers and previously\r\nredirected victims to VexTrio infrastructure. They also distributed rare scam content used\r\nby VexTrio.Example paths:\r\n/help/, /index/\r\nPartners House\r\nPartners House is owned by Push House and is a push advertising platform that tricks\r\nusers into subscribing to its push notifications via fake CAPTCHAs and adult-themed\r\nlures.Example params:\r\nfingerprint=, id=, traceId=, drs=\r\nBroPush\r\nPush advertising platform that tricks users into subscribing via lures related to fake\r\nCAPTCHAs, adult content, cinema, music, and news.Example params and folders:\r\np=, /go/\r\nRichAds\r\nDistributes advertising via Telegram Mini Apps, push advertising, pop ads, and native\r\nads.Example params:\r\nq=, s=, var=, geo=\r\nRexPush\r\nA push advertising affiliate that uses adult-themed and robot CAPTCHA lure images to\r\ntrick users into subscribing to their notifications.Example params:\r\nsub3=, sub2=, click_id=\r\nhttps://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nPage 25 of 28\n\nPushtorm\r\nPushtorm is a push notification service that enables website owners to subscribe web\r\nvisitors to push notifications and send them targeted messages. Pushtorm users can also\r\nsell excess traffic within the service. This service is heavily used by Rich Audience and\r\nthere are indicators that Pushtorm is controlled by them.Subscription server:\r\nhXXps://pushtorm[.]net/System/AddSubscriber\r\nRich Audience\r\nPlatform connects publishers and advertisers, and distributes ads via formats: display,\r\nvideo, rich media, and native.Example params:\r\ndomain=, clickid=, extclickid=\r\nMonetizer/Advertizer\r\nA monetization platform that uses TDS technology to connect web traffic from publisher\r\naffiliates to advertisers.Examples params:\r\nutm_medium=, utm_campaign=\r\nTable 4. Concise table summary of advertising affiliate networks that we identified via TDS DNS analysis\r\nWho Are the Website Hackers?\r\nThe adtech firms know.\r\nHundreds of thousands of compromised websites around the world every year redirect victims to the tangled web of VexTrio\r\nand VexTrio-affiliate TDSs. Not just last year, but every year since 2017, possibly as early as 2015. We have identified, in\r\ncollaboration with other researchers, several hundred unique VexTrio affiliate ids associated with these hackers. These\r\naffiliates include “no name” actors, like the GitHub repo actor described earlier, and “big name” threat actors, like\r\nSocGholish and ClearFake. So, how can the affiliates be identified?\r\nVexTrio and the other affiliate advertising companies know who the malware actors are, or they at least have enough\r\ninformation to track them down. Many of the companies are registered in countries that require some degree of “know your\r\ncustomer” (KYC), but even without these requirements, publishing affiliates are vetted by their customer managers.\r\nTypically, affiliates must demonstrate how they will publish smartlinks that lead into the network’s TDS. While there are\r\nsome claims that it is easy to pass the vetting process, there are even more bewildered wannabe affiliates who are rejected.\r\nLos Pollos collects information like Telegram accounts and pays affiliates via cryptocurrency wallets.\r\nMany advertising networks argue that they can’t be responsible for malicious affiliates who abuse their systems; after all,\r\nthey just provide a connection between a publisher and an advertiser. But these claims fall flat for companies like Los\r\nPollos. They both vet their publishing affiliates and claim the highest quality advertising in return for traffic. As a result,\r\nthey not only have the information that can lead to the disruption of global WordPress hackers, but they also know the\r\nidentities of the scam artists to which they connect innocent website visitors.\r\nIndicators\r\nA selection of current and historical indicators related to the malicious advertising affiliate networks that we described in\r\nthis paper are available on our GitHub repo here. We have also included a table (see Table 5) of sample affiliate parameters\r\nconnected to website compromises or malicious link distribution. Table 6 contains TDS domains that we described in this\r\npaper and are related to malicious adtech affiliate programs.\r\nAffiliate Parameter Notes\r\nhttps://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nPage 26 of 28\n\nu=pe7k605\r\nVexTrio affiliate associated with DNS TXT record\r\ncampaigns. First seen 2019.\r\npl=CHiI7Gh3GUyTa8XGgNqDyQ\r\nVexTrio affiliate associated with DNS TXT record\r\ncampaigns. First seen 2023.\r\nutm_medium=9eb2bcdc89976429bc64127056a4a9d5d3a2b57a\r\nMonetizer affiliate associated with DNS TXT record\r\ncampaigns. First seen November 24, 2024. This\r\nappears to be Los Pollos affiliate bt1k60t.\r\nsub1=ct1qt1t109qc73fj4fsg\r\nPartners House affiliate associated with DNS TXT\r\nrecord campaigns in November 2024.\r\nid=1003455\r\nPartners House affiliate that appears to be the same\r\nas Los Pollos affiliate (u=bt1k60t) and associated\r\nwith DNS TXT record campaigns. Seen October\r\n2024.\r\nTable 5. Unique parameters for various malicious “publishing” affiliates\r\nDomains TDS Domain Owner\r\n6[.]enlala[.]com\r\n6[.]lands[.]ninja\r\nRichAds\r\n0[.]mo10[.]biz\r\n0[.]se11[.]biz\r\n0[.]to6s[.]biz\r\n0[.]robotverifier[.]com\r\n0[.]strongblackspaces[.]com\r\n0[.]blueskyactivecontrol[.]com\r\nBroPush\r\n0605ee9ae7[.]hotbfocuhe[.]cc\r\n01be885d26[.]hotbwixife[.]today\r\n06254a045e[.]news-xkijeki[.]store\r\n01afa41bf2[.]news-xceyuna[.]live\r\n2765516796[.]news-xdujuwe[.]xyz\r\nPartners House\r\n7r6[.]fmqrsj[.]com\r\n1azo7[.]iqfmvj[.]com\r\n2rt[.]xcumpw[.]com\r\nd3l[.]wstbaw[.]com\r\n3ic[.]ymehtq[.]com\r\n2zhyl[.]iqfmvj[.]com\r\ngzeao[.]cavernexplorer[.]com\r\ngzeao[.]check-tl-ver-116-3[.]com\r\ngzeao[.]check-tl-ver-154-2[.]com\r\nmvgde[.]stonecoremason[.]com\r\nmvgde[.]runesmith[.]top\r\nmvgde[.]runicartisan[.]top\r\nVexTrio\r\nhttps://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nPage 27 of 28\n\nmvgde[.]sec-tl-129-b[.]buzz\r\nmvgde[.]sec-tl-129-d[.]buzz\r\n19a1[.]brpconnecta[.]digital\r\n209c[.]brpteamwork[.]cc\r\n43ff[.]rpstreamfx[.]xyz\r\n5435[.]rpknowledge[.]xyz\r\n9c3e1[.]rpdiscover[.]xyz\r\nc62a[.]rpbuildhub[.]xyz\r\nfe12[.]brpdataboxx[.]today\r\nREXPUSH\r\nTable 6. TDS domains operated by various advertising affiliate networks\r\nFootnotes\r\n1. https://help.scaleo.io/article/414-los-pollos-affiliate-network\r\n2. https://urlscan.io/result/0196d747-03d5-774f-9c16-8f5eab774d2b\r\nSource: https://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nhttps://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/\r\nPage 28 of 28",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/"
	],
	"report_names": [
		"vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal"
	],
	"threat_actors": [
		{
			"id": "f276b8a6-73c9-494a-8ab2-13e2f1da4c53",
			"created_at": "2022-10-25T16:07:24.441133Z",
			"updated_at": "2026-04-10T02:00:04.993411Z",
			"deleted_at": null,
			"main_name": "Achilles",
			"aliases": [],
			"source_name": "ETDA:Achilles",
			"tools": [
				"RDP",
				"Remote Desktop Protocol"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434920,
	"ts_updated_at": 1775791455,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a8d9922c6d919867e25b1c397ab9ba497e199694.pdf",
		"text": "https://archive.orkl.eu/a8d9922c6d919867e25b1c397ab9ba497e199694.txt",
		"img": "https://archive.orkl.eu/a8d9922c6d919867e25b1c397ab9ba497e199694.jpg"
	}
}