Infoblox research uncovers surprising links between WordPress hackers and VexTrio-related groups via DNS telemetry, exposing persistent cyber threats.
Removing one attack tactic doesn’t always eliminate the entire threat. However, when malicious activity resumes, DNS telemetry combined with expert-driven analytics reveals relationships between presumed unrelated actor groups. This Infoblox research presents seemingly coordinated activity between two actor groups: WordPress hackers and multiple Traffic Distribution System (TDS) operators related to actor VexTrio. It highlights the persistent threat from large underground cybercriminal ecosystems and their continuous adaptation.Â
Disruption leads to new findings Â
What started as an observational study—perturb VexTrio and see how they adapt—led to a series of surprising revelations. When their TDS was disrupted, multiple malware actors that depended on it all migrated to a different TDS, and they all made the same choice. Considered initially an independent TDS, Infoblox found evidence suggesting otherwise. Several commercial TDSs were discovered to share software elements with VexTrio, and all of them benefit from VexTrio’s long, exclusive relationship with website malware actors. Finally, it became clear that the use of commercial adtech and understanding of the DNS techniques behind it could be the downfall of dominant malware campaign operators, as the adtech firms can help identify them.
Also Read: Cybersecurity 2025: From AI Intrigue to Billion-Dollar Moves
Reveal with DNS Telemetry and Threat ExpertiseÂ
By analyzing 4.5 million DNS TXT record responses from compromised websites over six months, Infoblox Threat Intel discovered two distinct command-and-control (C2) servers hosted within Russian-related infrastructure. These findings provide insight into the structure of DNS malware campaigns. The DNS TXT campaign actors changed their operations after revelations about VexTrio commercial entities. However, before their domains were reported to hosting firms, they suggested a coordinated shift to a seemingly new system known as Help TDS. Further investigation revealed that Help TDS was not new and could be connected with VexTrio in several ways.Â
Digging further, many other TDSs were uncovered that shared a surprising number of characteristics with VexTrio, including several commercial adtech firms, like Partners House, Bro Push, and RichAds. When adtech providers like Los Pollos push monetization, we discovered an increase in fake captchas from other commercial adtech firms, like Partners House. While the relationship of these commercial entities remains a mystery, they are certainly long-time partners. These TDS redirect traffic to one another, and all have a Russian nexus, but there is no overt common ownership.
A Persistent Threat
The identified relationships between website hackers and the VexTrio cabal pose significant dangers. First, they highlight the ongoing threat from organized crime and their ability to adapt rapidly. Second, the scale of these attacks is substantial. Adtech platforms use extensive infrastructures capable of delivering crafted payloads to millions of users while utilizing personal data to route the ideal bait. Lastly, this ecosystem targets thousands of legitimate websites using WordPress or other content management systems, affecting the brand and reputation of the organizations they represent.
Also Read: Can NIST’s New Guide Boost Global DNS Security?
Tracking the malware actors and their campaigns via adtech
The malware actors’ choice to use commercial adtech could be their Achilles heel. As we uncovered the relationships between the website hackers and the VexTrio cabal, we realized that unique identifiers for each malware operator exist for each company.
These malware hackers vet network affiliates before allowing them to join, and they maintain personal information about the affiliates and their payments that could lead to their identities. The true test will be the adtech operators’ willingness to turn in malicious actors who haunt the internet and have stolen untold money from victims worldwide.
