A complex cybercrime syndicate known as VexTrio has orchestrated one of the largest WordPress-based intrusions in history, compromising hundreds of thousands of websites worldwide. This attack has led to the creation of an extensive Traffic Distribution System (TDS) that redirects victims to meticulously crafted fraudulent networks.
Active at least since 2015, the operation marks a significant shift in how cybercriminals exploit compromised network infrastructures to generate revenue, converting legitimate websites into unwitting participants in a vast criminal advertising ecosystem.
Los Pollos Unveils VexTrio’s Extensive Reach
The scale of the VexTrio group’s operations became apparent following the exposure of Swiss-Czech advertising technology company Los Pollos as a front for the syndicate. Research indicates that nearly 40% of redirected traffic from infected websites was routed through Los Pollos’ smart links to VexTrio, contributing to malicious activities tied to operations like Balada, DollyWay, and Sign1.
These infiltrations have persisted for years, with some connections dating back to May 2019, revealing the extraordinary resilience and stability of VexTrio’s cybercriminal infrastructure.
In-Depth DNS Analysis Uncovers Ties to Malicious Advertising
In a comprehensive analysis of over 4.5 million DNS queries over six months, Infoblox researchers uncovered the intricate relationship between WordPress-based malware and malicious advertising technologies. The findings revealed that when Los Pollos ceased its monetization services on November 17, 2024, several previously independent malicious operations migrated to a new TDS known as Help TDS, exposing a long-hidden, coordinated criminal infrastructure.
The operation relies on a complex affiliate advertising network, blurring the lines between legitimate marketing services and cybercrime.
VexTrio’s Business Model: A Self-Sustaining Criminal Economy
VexTrio controls several entities, including Los Pollos, Taco Loco, and Adtrafico, each playing distinct roles in a larger ecosystem. These organizations recruit affiliate members to invade websites and others to distribute malicious content to victims. This has led to a self-sustaining criminal economy, generating substantial profits for its participants over nearly a decade.
Abuse of DNS TXT Records: A Major Evolution in Malware Infrastructure
One of the most sophisticated aspects of VexTrio’s operations is the abuse of DNS TXT records as a command-and-control (C2) mechanism. This technique, first documented by security researchers in August 2023, represents a significant evolution in malware infrastructure. By exploiting DNS communication’s trusted nature, the group evades detection and uses DNS queries to covertly redirect website visitors to malicious content.
Upon visiting compromised WordPress sites, malicious scripts automatically query specific DNS domains controlled by the attackers. The DNS responses contain Base64-encoded redirection instructions, which appear as legitimate traffic to network monitoring systems, masking the operation’s true intent.
Dynamic and Customizable Malware Operations
The DNS queries themselves embed encoded information about the website visitor, such as their geographic location, browser type, and referral source. This allows the C2 servers to tailor their responses based on the victim’s profile, making the attacks more effective.
Analysis of the command-and-control infrastructure reveals two separate operational clusters, each with distinct hosting arrangements and URL conventions. However, both clusters ultimately direct traffic to the same criminal destination. This DNS-based system offers unprecedented flexibility, enabling operators to adjust the behavior of the attack in real-time without needing to update the malware on compromised websites.
Furthermore, this approach ensures persistence by automatically monitoring and reactivating disabled malicious plugins, presenting a unique challenge for website administrators and security teams seeking to fully mitigate the threat.
Conclusion
The ongoing VexTrio Viper Group campaign represents one of the most advanced and enduring forms of cybercrime in recent years. By leveraging compromised WordPress sites and sophisticated DNS-based C2 systems, the group has built an efficient and profitable criminal enterprise. For website administrators, fully eradicating this threat will require significant resources and expertise, as the attack methods evolve to remain resilient against detection and mitigation efforts.
Related Topics
- New Studio Update Enables Workflow Customization in WordPress
- Understanding the WordPress “Loop”: The Core of Dynamic Content
- Top 7 WordPress E-commerce Plugins for 2025
