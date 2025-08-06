Researchers at Infoblox have released new findings on VexTrio, a large criminal enterprise that uses a set of traffic distribution systems (TDSs), lookalike domains and registered domain generation algorithms (RDGAs) to deliver malware, scams and illegal content.

The researchers have been able to link nine individuals, shell companies and a sprawling infrastructure to the global ad fraud and scam operation.

The security firm is expected to share an 80-page report detailing its new findings during Black Hat USA, in Las Vegas, on August 6.

Understanding the VexTrio Cybercrime-Enabling Operation

VexTrio, also known as Vextrio Viper, is a cyber fraud network that has been active since at least 2017. It was discovered by Infoblox in February 2022.

VexTrio operators are known to leverage compromised websites, particularly those running WordPress, to inject malicious scripts that redirect users to harmful content. They act as a middlemen connecting threat actors with infrastructure providers, enabling a wide range of cybercrime activities.

They typically use TDS to filter and redirect web traffic based on specific criteria, such as geolocation, device type or user behavior. These systems often rely on compromised websites and malicious advertisements to funnel unsuspecting users into their malicious ecosystems.

VexTrio employs TDS to ensure that victims are directed to the most relevant malicious payload, whether it’s malware, scams or exploit kits.

Additionally, VexTrio relies heavily on Domain Name System (DNS) manipulation to facilitate its operations. By controlling or compromising DNS records, the group can redirect victims to malicious servers without their knowledge.

Some of these sophisticated DNS manipulation techniques employed by VexTrio include:

Fast-flux DNS techniques, rapidly changing the IP addresses associated with their domains to evade detection and takedown efforts

DNS tunnelling, a technique that encodes data within DNS queries (e.g., requests to malicious domains) to bypass security controls, exfiltrate data, or establish covert command-and-control (C2) communication

Domain generation algorithms (DGAs) to maintain communication with infected systems while staying under the radar

VexTrio’s primary content delivery network domain is a top 10,000 domain in global popularity, as measured by both Tranco and Infoblox.