wordpress website data breached

The threat actors behind the VexTrio Viper Traffic Distribution Service (TDS) are linked to other TDS services like Help TDS and Disposable TDS, indicating a sophisticated cybercriminal operation designed to distribute malicious content.

According to a report, VexTrio comprises malicious adtech companies that disseminate scams and harmful software through various advertising formats, including smartlinks and push notifications. Notable companies under VexTrio include Los Pollos, Taco Loco, and Adtrafico, which operate a commercial affiliate network connecting malware actors with "advertising affiliates" promoting illicit schemes such as gift card fraud and phishing sites.

These malicious traffic distribution systems redirect victims to scam destinations via SmartLinks or direct offers. For instance, Los Pollos recruits malware distributors with high-paying offers, while Taco Loco focuses on push monetization.

A significant aspect of these attacks involves compromising WordPress websites to inject malicious code that initiates redirection to VexTrio's scam infrastructure. Examples of such injections include Balada, DollyWay, and Sign1.

In March 2025, GoDaddy reported that these scripts redirect visitors to various scam pages through traffic broker networks associated with VexTrio, one of the largest known cybercriminal affiliate networks utilizing advanced DNS techniques and domain generation algorithms.

VexTrio faced setbacks in mid-November 2024 when Qurium revealed Los Pollos' connection to VexTrio, leading to the cessation of their push link monetization. This prompted many threat actors to shift to alternative redirect destinations like Help TDS and Disposable TDS.

Infoblox's analysis of 4.5 million DNS TXT record responses from compromised websites over six months revealed that the domains involved could be categorized into two sets, each with distinct command-and-control (C2) servers, both hosted on Russian-connected infrastructure.

Further investigation indicated that Help TDS and Disposable TDS are essentially the same, having maintained an exclusive relationship with VexTrio until November 2024. Help TDS, which previously redirected traffic to VexTrio domains, has since transitioned to Monetizer, a platform that connects web traffic from publisher affiliates to advertisers.

Infoblox noted that VexTrio is among several TDSs identified as commercial adtech firms, including Partners House, BroPush, and RichAds, many of which utilize Google Firebase Cloud Messaging (FCM) to distribute links to malicious content via push notifications.

"Every year, hundreds of thousands of compromised websites redirect victims to the tangled web of VexTrio and its affiliate TDSs," the report stated. "VexTrio and other affiliate advertising companies are aware of the malware actors involved, or at least have enough information to track them down."