The threats of the actors standing for Vextrio viper The traffic distribution service (TDS) has been associated with other TDS services such as TDS and disposable TDS, indicating that complex cybercrime work is its own enterprise that is designed to distribute malicious content.
“Vextrio is a group of malicious Adtech companies that distribute scams and harmful software through various promotional formats, including Smartlinks and Push Notifications,” Infoblox – Note In a deep dive report that shared with Hacker News.
Some of the ADTech’s malicious companies under Vextrio Viper include Los Pollos, Taco Loco and Adtrafico. These companies work with what they call a commercial affiliate network that connects malicious programs whose sites, unaware of users, land and the so-called “advertising affiliates” that offer various forms of illegal schemes such as gifts, malicious applications, phishing sites and scammers.
Over another, these malicious traffic distribution systems have name redirect victims in their directions via Smartlink or a direct offer. Los Pollos, according to DNS intelligence, is conquered by the distributors of malware (AKA PUBLISH AC) promises high -paying offers, while Taco Loco specializes in monetization and gaining advertising affiliates.
Another noticeable component of these attacks is the compromise of WordPress websites to introduce a malicious code responsible for initiating the redirect network, ultimately leading visitors to the Vextrio SCAM infrastructure. Examples of such injections include Ballad. Dolly more. Sign11and DNS TXT RECORD Companies.
“These scripts are redirected by site visitors to different pages of the scam through the roads related to Vextrio, one of the largest noted In a report published in March 2025.
Vextrio’s operations hit the stroke near mid -November 2024 after brown disclosed The fact that the Swiss company Adtech Company Los Pollos was part of Vextrio, causing Los Pollos to stop pressing. This, in turn, caused the outcome, causing the threats that greatly relied on the Los Pollos network to go to an alternative redirected direction such as TDS assistance and disposable TDS.
 |
| Changes in behavior over time from two independent C2 sets |
Infoblox analysis of 4.5 million DNS TXT Records from compromised sites for six months showed that domains that were part of the DNS TXT record can be attributed to two sets, each of their own teams and designs (C2).
“Both servers were conducted in Russian infrastructure, but neither their hosting nor their TXT answers are overlapping,” the company said. “Each set supported different redirect URL structures, though they both led to Vextrio and then to the help of TDS.”
Further evidence revealed that TDS help and one -time TDS – the same thing, and that services used “exclusive relationships” from Vextrio until November 2024. Help TDS, which has historically redirected Vextrio domain traffic to Vextrio domains moved to monetization, monetization platform that uses TDS technology to connect traffic from outbuildings to advertising.
“TDS assistance has a strong Russian communication, while registration of hosting and domains is often executed with the help of Russian organizations,” Infoblox said, describing the operators as independent. “It has no full -scale Vextrio TDSS functionality and has no obvious commercial ties outside its horrible Vextrio ties.”
Vextrio is one of the many TDS that has been canceled as commercial firms of the Adtech, the rest is the partners’ house, Bropush, Richads, Admeking and Rexpush. Many of them are aimed at pressing notification services using cloud messages Google Firebase (FCM) or clicking on the API scripts designed to distribute malicious content through pressing notifications.
“Hundreds of thousands of violated sites around the world turn the victims to the confusing web Vextrio and Vextrio that support TDSS,” the company said.
“Vextrio and other affiliate advertising campaigns know who the participants are malware, or they have at least enough information to track them down. Many companies are registered in countries that require a certain degree of” know their client “(KYC), but even without these requirements, the branches held by customer executives.”
