VexTrio Exposed: Infoblox Uncovers Massive Malicious Adtech Ecosystem Powering Global Malware

When Infoblox researchers set out to disrupt the notorious Traffic Distribution System (TDS) known as VexTrio, they weren’t expecting to uncover one of the most sprawling and persistent malware ecosystems in existence. What began as a “perturb and observe” experiment became a sweeping expose of the deeply entangled world of malicious adtech, DNS-based malware campaigns, and global website compromises.

On November 13, 2024, Qurium exposed: Swiss-Czech adtech firm Los Pollos was linked to VexTrio, the largest known malicious TDS. Just days later, Los Pollos abruptly shut down their “push link monetization” service. To outsiders, this might have seemed like a victory for defenders. But as Infoblox observed, the criminal network didn’t disintegrate — it simply shifted gears.

By November 20, multiple long-active malware campaigns—like DollyWay, Balada, and Sign1—simultaneously stopped redirecting victims to VexTrio and instead funneled them into a “new” service: the Help TDS. But it wasn’t new at all.

“Help TDS is not new but has been intertwined with VexTrio for years,” the researchers discovered. In fact, it is the same system previously dubbed the Disposable TDS—merely rebranded but architecturally identical.

A major part of this investigation revolved around DNS-based command-and-control (C2) infrastructure. Malware embedded in over 25,000 WordPress sites used DNS TXT records to relay encoded redirection instructions. These C2 servers — split into two independently hosted clusters — once routed traffic to VexTrio but, following Los Pollos’ shutdown, synchronized their operations to pivot toward the Help TDS.

“By analyzing 4.5 million DNS TXT record responses… we discovered that the domains used in the campaigns fell into two distinct sets, each with a distinct C2 server.”

The pivot showed not just technical coordination, but organizational resilience. Even as GoDaddy’s researchers confirmed DollyWay’s transition away from VexTrio, Infoblox noted that some DNS-based campaigns continued steering victims to Help TDS into May 2025.

The report lifts the veil on the murky business model driving these campaigns: malicious adtech.

At the core are commercial operators—Los Pollos, Taco Loco, BroPush, Partners House, and RichAds—masquerading as affiliate advertising networks. They distribute malicious payloads, fake sweepstakes, and push notification scams under the guise of online ads.

“These firms vet network affiliates before allowing them to join—we know, we’ve tried—and they maintain personal information about the affiliates and their payments that could lead to their identities.”

The so-called “publishing affiliates” — often website hackers — redirect traffic into the TDS, earning money based on victim interactions. The delivered content is rarely innocent. It’s weaponized ads, infostealers, and browser-hijacking push notifications disguised as CAPTCHAs.

Technical artifacts further confirmed the deep interconnection among these malicious networks. Infoblox identified rare JavaScript used to trap users on scam pages and unique lure images like logo.png and bot.png—shared across six TDSs including VexTrio, Help TDS, and RichAds.

“The six TDSs share image lures… their SHA256 file hash values match… All are operated by large public affiliate networks that specialize in push advertising.”

These firms even use the same infrastructure quirks: DNS misconfigurations, PowerDNS installations, and custom URL parameters that track victims across platforms.

The malware actors exploiting hundreds of thousands of sites are not anonymous to the adtech companies they partner with.

“The adtech firms know. They vet their publishing affiliates and collect information like Telegram accounts and cryptocurrency wallets.”

Companies like Los Pollos operate under a thin veneer of legitimacy, yet maintain full knowledge of the identities of malware distributors and scam operators.

The Infoblox report doesn’t just dissect the machinery of VexTrio—it exposes an entire underworld built on exploitative advertising, mass website compromise, and DNS trickery. While individual actors like Los Pollos may shutter operations under scrutiny, the core network continues — agile, adaptable, and dangerously effective.

Unless commercial adtech firms are held accountable, VexTrio and its many clones will persist in the shadows of the internet, profiting from the suffering of unsuspecting users.

Related Posts:

• The Hidden Cyber Trap: How Compromised Websites and Malicious AdTech Manipulate Users
• Infoblox Uncovers Malicious Wave in .US Domain Registrations
• 13,000 MikroTik Routers Hijacked for Global Malspam Operation
• Los Angeles County data breach exposes 3.2 million files containing terrifyingly sensitive data
• Ransomware Attack Forces Closure of LA County Courts