SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware
Search
Story image
#
Firewalls
#
Network Security
#
MarTech

Infoblox exposes VexTrio adtech in WordPress malware

Yesterday
Author image
By Jed Nykolle Harme, Editor

Infoblox Threat Intel has revealed coordinated activity between WordPress hackers and traffic distribution system (TDS) operators linked to the VexTrio network.

The findings emerged as researchers disrupted the infrastructure associated with VexTrio, a network previously thought to be independent from other malware groups. Initial efforts focused on observing VexTrio's response to disruption, but subsequent investigations led to broader revelations about the adaptability of cybercrime ecosystems and their intersections with commercial adtech infrastructure.

Infrastructure disruption

Following the disruption of VexTrio's TDS, Infoblox observed that multiple malware actors who had previously depended on VexTrio's infrastructure migrated en masse to a single alternative provider, Help TDS. Help TDS, previously assumed to be an independent entity, demonstrated shared characteristics with VexTrio through further analysis, prompting researchers to reassess previously held views about its independence within the cybercrime ecosystem.

Researchers from Infoblox also identified several commercial TDS platforms that, according to their analysis, shared software elements with VexTrio. These commercial operators were observed to benefit from collaborations with website malware actors, including exclusive relationships that facilitated mutual persistence. The overlaps were discovered through the examination of more than 4.5 million DNS TXT record responses from compromised websites collected over a six-month period.

Russian associations and adtech overlap

Analysing the DNS telemetry allowed Infoblox to track the movement of command and control servers and campaign pivots in near real-time. During this investigation, the company identified command and control servers hosted on infrastructure associated with Russia, linking them to wider malware ecosystems maintained by VexTrio.

In addition to technical connections between malware groups and TDS operators, the research highlights the involvement of commercial AdTech companies. Entities named in the research include Partners House, Bro Push, RichAds, and Los Pollos. Although these firms were observed to redirect web traffic to one another, overt links in common ownership were not established. All, however, demonstrated characteristics or relationships pointing towards a Russian context.

The research from Infoblox details how these collaborations have enabled large-scale exploitation campaigns. Compromised WordPress and other content management system (CMS) sites redirected unsuspecting users to malicious destinations, often deploying fake captchas or delivering crafted malware payloads to millions of individuals.

Campaign impacts and identification

The coordination among these actor groups reflects substantial scale and impact. According to Infoblox, these campaigns have affected thousands of legitimate websites, leveraging their traffic to monetise malware-driven campaigns and increase the reach of malicious payloads delivered to end users. The overlap between commercial adtech operations and criminal distribution systems represents a significant aspect of current cybercrime infrastructure.

One of the significant risks identified is the capacity for attackers to exploit inadvertently supportive commercial infrastructure to sustain persistent, large-scale malware campaigns. On this issue, Infoblox researchers note that the malware hackers' reliance on commercial adtech could become a vulnerability for the threat actors themselves:

"The malware hackers' reliance on commercial adtech could prove to be their Achilles heel. These actors maintain identifiable affiliate networks and payment records. The question now is whether the adtech firms, knowingly or not enabling monetized malware traffic, will act to expose those behind these large-scale operations."

Infoblox reports that continued scrutiny of DNS telemetry and infrastructure relationships has provided new visibility into underground cybercrime networks. The ongoing analysis details malicious campaign infrastructure, shifting tactics, and the collaboration timelines uncovered as a result of these efforts.

The full details on actor tactics, campaign infrastructure, and discovery timelines will be presented in an upcoming report by Infoblox Threat Intel.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Datadog launches enhanced log tools for cost & compliance needs
Audra Security launches in UK with focus on homes & small firms
Contrast Northstar brings real-time AI to application security
Upwind names Rinki Sethi Chief Security Officer amid growth
Fake booking sites push malware as HP warns of click fatigue
Top stories
AU10TIX unveils AnyDoc AI tool to combat document fraud risk
Alex van Someren joins Paladin to boost cybersecurity advisory
Cloudflare blocks 108.9 billion cyberattacks targeting civil groups
Azul boosts Java security with improved runtime vulnerability detection
Phishing-as-a-Service drives surge in cybercrime for 2025