Infoblox Threat IntelAug 26, 2025

Are Smartlinks the Charon of Adtech?

If you have been following our research on adtech, such as VexTrio origin story published last week (https://blogs.infoblox.com/threat-intelligence/vextrios-origin-story-from-spam-to-scam-to-adtech/) , you've likely seen repeated references to Smartlinks, also known as Direct Offers.
Smartlinks may appear harmless as first glance – just as actors intend–, but much as Charon, who ferries souls into the kingdom of Hades, Smartlinks lead traffic into the TDS controlled by adtech operators. In both cases, once you are caught in the current, you have no control over your destination. And just as Charon’s passengers, you may land in a place you do not desire to be.
Analogies aside, Smartlinks are an integral feature of adtech and are here to stay. To help you better understand how they work and why they matter, we've created a cheatsheet that breaks down their role and relevance.

#dns #infosec #vextrio #smartlink #adtech #tds #infoblox #cybercrime #scam #cybercrime #threatintel

Infoblox Threat IntelAug 23, 2025

Two recent podcast / videocasts on #vextrio #tds and malicious #adtech
both have slightly different although they talk about VexTrio TDS and Russian organized crime in adtech.

The cyberwire podcast is 20 min long - discussing VexTrio and TDS in general. the interview with Rob Wright from Dark Reading is about 10 min long.

#threatintel #cybercrime #scam #cybersecurity #infosec

https://www.youtube.com/watch?v=biZAmoJkpZE

https://thecyberwire.com/podcasts/research-saturday/390/notes

Catching Up with Renee Burton, VP Threat Intel, Infoblox

YouTube
Infoblox Threat IntelAug 20, 2025

@shadowserver helped us disrupt a prolific website malware multiple times in early August. This malware uses DNS TXT records for a C2 to redirect users to scams and malware. Exclusively redirecting to VexTrio for years, they've been disrupted a few times by us and partners this past year ... which each time allows us to understand the criminal enterprise a bit further.

Prior to the disruption, we analyzed over 4M DNS responses from the authoritative servers from several partners covering a short window of traffic.

The diagram below shows how the server is likely to redirect website visitors based on their geo and device type, which are encoded in the query. Connections to Strela Stealer in June. We are in the process of writing up research around how this all connects to the MikroTik router botnet we published early this year.

In mid-June, the C2 server domain had a global popularity level on Tranco of about 80k - pretty high for a niche domain.

What happened after Shadow Server sinkholed the C2 domain?? We saw nearly 30k sites reach out to the sinkhole in a 48 hour period. Lots of bot activity -- these queries only come from compromised websites and there were nearly 37M unique queries in that time!

of course the threat actors adjust.. that is part of the game. but we learnt a lot in the process.

Diagram also shows how several of the TDS are related to each other in these flows.

#dns #threatintel #scam #malware #tds #infoblox #vextrio #cybercrime #cybersecurity #infosec

Infoblox Threat IntelAug 18, 2025

Part three of our VexTrio full monty is now available. This one is for the geeks but also a pretty short read... especially given the previous two parts!

Major takeaways are:
* these networks receive a ton of traffic. The primary image server for VexTrio TDS has long been in the top 10k popular domains globally -- we've been pushing hard and it is down around 11k now.
* they use a few different cloakers / trackers. we talk about IMKLO and binom.
* they run a pretty modern devops stack with all the tech you would expect.

#dns #vextrio #threatintel #scam #malware #phishing #tds #cybercrime #cybersecurity #infosec #infoblox

https://blogs.infoblox.com/threat-intelligence/inside-the-robot-deconstructing-vextrios-affiliate-advertising-platform/

The Hidden Infrastructure Behind VexTrio's TDS

VexTrio's traffic distribution system (TDS) processes billons of transactions daily, powering digital fraud on a global scale. Here's how we unraveled it.

Infoblox Blog
Renée BurtonAug 13, 2025

Scammers DO take vacations. Lots of them. These are social media from VexTrio key figures - tons more where these came from.

Don't blame the victim, blame the guy on a private jet to a Coldplay concert. fr fr.

#threatintel #cybercrime #cybersecurity #infosec #scam #VexTrio #tds #malware #phishing

Renée BurtonAug 12, 2025

VexTrio's origins come from two distinct groups: an Italian group we can date back to 2004 and a Russian-speaking Eastern European group. The Italians were quite successful early on, with a dating app that was among the fastest growing on Facebook in 2012. But our guess is that their profits slid in the years that followed. In 2020, there is an merger-acquisition which leaves the Eastern Europeans in charge. They gain the trademarks, knowledge in spam distribution, and who knows what else.

While developers remain in eastern Europe, VexTrio created business headquarters in Lugano, Switzerland. Including the existing AdsPro, which developed the Los Pollos, Taco Loco, and Adtrafico traffic distribution systems (TDS) through their software company HolaCode. (ok it's more complicated than that, but this is the cliffsnotes version). We have identified nearly 100 businesses associated with 8 key figures in many industries, including construction, energy, and advertising.

So in the end, what is VexTrio? It's hard to say. We originally used it to refer to the TDS. Nice clean lines... but now, for us it is all the people and their labyrinth of companies.

We spoke at BlackHat last week so if you have a briefings pass you can listen to that. Otherwise, find our research online and start your own investigation.

#dns #threatintel #scam #cybercrime #vextrio #infoblox #cybersecurity #infosec #malware #tds

Infoblox Threat IntelAug 3, 2025

Tens of thousands of compromised websites use DNS TXT records to conditionally redirect visitors to malicious content. For years, this exclusively redirected to VexTrio TDS - but in late-November 2024, it changed. But did it? We think not.

A couple of major takeaways from the research we released in June and what we've continued to learn since then:

* DNS is being used very successfully to drive innocent people to malware and scams, including alarming tech support scams

* These can be stopped by blocking the DNS query but it must be done at the website server side not the visitor

* VexTrio is tight not just with malware actors who hack sites and drive traffic to them, but they appear to be one and the same, or at least closely related, to infamous TDS and a multitude of other "adtech" platforms.

* reviewing old literature carefully connects VexTrio via shared software with ROI777

we're going to throw up more "snackables" before heading to Vegas. If you want to see the faces behind VexTrio and hear their origin story, come see our talk or track us down at the booth.

#threatintel #malware #tds #vextrio #dns #cybercrime #cybersecurity #scam #infosec #infoblox

Show threadRenée BurtonJun 23, 2025

snackable 3/N on VexTrio and the WordPress hackers. This one's a bit geeky. One type of malware that led to VexTrio exclusively until late-Nov 2024 uses DNS TXT records to retrieve a redirection.

This is a tricky bugger and gives the malware actor an easy way to change things up if they are disrupted. The C2 domain (a DNS nameserver) isn't observed and the calls happen server side. The DNS TXT record malware was first observed by Sucuri/GoDaddy in 2023.

A compromised website makes a DNS TXT query that encodes the visitor's information and receives a redirection encoded in the response. When DNS queries to the C2 is blocked in the website's network, the visitor is protected -- we have had customers with compromised websites who still protected their users as we blocked the DNS query.

This malware is stubborn and is tricky to get rid of... there are also bots that come through regularly and update the compromised servers.

We used 4.5 million DNS queries over ~6 month period to understand how the C2 and redirect domains interrelated. What we found were two distinct clusters (this is the really geeky part) that indicate separate operations. Both use bulletproof hosting and/or Russian hosting, both were exclusively VexTrio, and both in late-November switched to the Help TDS. They used a few different paths to get to VexTrio's Los Pollos links.

One of these clusters had not been previously reported to our knowledge.

What you see in this image is a composite view. The C2 for each cluster are:
* data-cheklo[.]world, cndatalos[.]com, data-infox[.]com
* logs-web[.]com, airlogs[.]net, webdmonitor[.]io, cloudstats[.]net, etc.
webdmonitor[.]io is still active.

#dns #threatintel #cybercrime #cybersecurity #infosec #malware #scam #VexTrio #tds

Hackread.comJun 16, 2025

New report links AdTech firms Los Pollos and RichAds to #malware traffic operations, revealing ties to #VexTrio and large-scale redirection schemes.

Read: https://hackread.com/report-links-los-pollos-richads-malware-traffic-op/

#CyberSecurity #CyberCrime #AdTech #LosPollos #RichAds

Report Links Los Pollos and RichAds to Malware Traffic Operations

Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

Hackread - Latest Cybersecurity, Hacking News, Tech, AI & Crypto
Show threadRenée BurtonJun 15, 2025

VexTrio and the malware actors snackable (2/N).

At the heart of VexTrio is so called "smartlinks". What is that? BlackHatWorld users explain it well. see pics.

smartlinks are the lipstick for the pig called domain cloaking that is provided by traffic distribution systems (TDS) owned by malicious adtech companies like Los Pollos and Taco Loco (and Adtrafico and and and)

#VexTrio #malware #tds #cybercrime #phishing #scam #threatintel #infoblox #infobloxthreatintel #infosec #cybersecurity #adtech