The threat actors behind the VexTrio Viper Traffic Distribution Service (TDS) have been linked to other TDS services like Help TDS and Disposable TDS, indicating that the sophisticated cybercriminal operation is a sprawling enterprise of its own that’s designed to distribute malicious content.
“VexTrio is a group of malicious adtech companies that distribute scams and harmful software via different advertising formats, including smartlinks and push notifications,” Infoblox said in a deep-dive report shared with The Hacker News.
Some of the malicious adtech companies under VexTrio Viper include Los Pollos, Taco Loco, and Adtrafico. These companies operate what’s called a commercial affiliate network that connects malware actors whose websites unsuspecting users land on and so-called “advertising affiliates” who offer various forms of illicit schemes like gift card fraud, malicious apps, phishing sites, and scams.
Put differently, these malicious traffic distribution systems are designed to redirect victims to their destinations through a SmartLink or direct offer. Los Pollos, per the DNS threat intelligence firm, enlists malware distributors (aka publishing affiliates) with promises of high-paying offers, whereas Taco Loco specializes in push monetization and recruits advertising affiliates.
Another notable component of these attacks is the compromise of WordPress websites to inject malicious code that’s responsible for initiating the redirection chain, ultimately leading visitors to VexTrio scam infrastructure. Examples of such injections include Balada, DollyWay, Sign1, and DNS TXT record campaigns.
“These scripts redirect site visitors to various scam pages through traffic broker networks associated with VexTrio, one of the largest known cybercriminal affiliate networks that leverages sophisticated DNS techniques, traffic distribution systems, and domain generation algorithms to deliver malware and scams across global networks,” GoDaddy noted in a report published in March 2025.
VexTrio’s operations suffered a blow around mid-November 2024 after Qurium revealed that the Swiss-Czech adtech company Los Pollos was part of VexTrio, causing Los Pollos to cease their push link monetization. This, in turn, triggered an exodus, causing threat actors that relied heavily on the Los Pollos network to move to alternate redirect destinations such as Help TDS and Disposable TDS.
 |
| Changes in behavior over time from the two independent C2 sets |
Infoblox’s analysis of 4.5 million DNS TXT record responses from compromised websites over a six-month period has revealed that the domains that were part of the DNS TXT record campaigns could be classified into two sets, each with its own distinct command-and-control (C2) server.
“Both servers were hosted in Russian-connected infrastructure, but neither their hosting nor their TXT responses overlapped,” the company said. “Each set maintained different redirect URL structures, even though they both originally led to VexTrio and subsequently to the Help TDS.”
Further evidence has uncovered that both Help TDS and Disposable TDS are one and the same, and that the services enjoyed an “exclusive relationship” with VexTrio until November 2024. Help TDS, which historically redirected traffic to VexTrio domains, has since shifted to Monetizer, a monetization platform that uses TDS technology to connect web traffic from publisher affiliates to advertisers.
“The Help TDS has a strong Russian nexus, with hosting and domain registration frequently done via Russian entities,” Infoblox said, describing the operators as possibly independent. “It does not have the full-blown functionality of the VexTrio TDSs and has no obvious commercial ties beyond its eerie connections with VexTrio.”
VexTrio is one among the many TDSs that have been outed as commercial adtech firms, the others being Partners House, BroPush, RichAds, Admeking, and RexPush. Many of these are geared towards push notification services by making use of Google Firebase Cloud Messaging (FCM) or Push API-based custom-developed scripts to distribute links to malicious content via push notifications.
“Hundreds of thousands of compromised websites around the world every year redirect victims to the tangled web of VexTrio and VexTrio-affiliate TDSs,” the company said.
“VexTrio and the other affiliate advertising companies know who the malware actors are, or they at least have enough information to track them down. Many of the companies are registered in countries that require some degree of ‘know your customer’ (KYC), but even without these requirements, publishing affiliates are vetted by their customer managers.”
