Hundreds of Wordpress Websites Hacked By VexTrio Viper Group to Run Massive TDS Services

A sophisticated cybercriminal enterprise known as VexTrio has orchestrated one of the most extensive WordPress compromise campaigns ever documented, hijacking hundreds of thousands of websites globally to operate massive traffic distribution systems (TDS) that funnel victims into elaborate scam networks.

This malicious operation, which has been active since at least 2015, represents a paradigm shift in how cybercriminals monetize compromised web infrastructure, transforming legitimate websites into unwitting participants in a sprawling criminal advertising ecosystem.

The scope of VexTrio’s operation came to light following revelations that Los Pollos, a Swiss-Czech advertising technology company, was operating as a front for the criminal organization.

Research indicates that nearly 40 percent of compromised websites that redirected visitors were channeling traffic to VexTrio through Los Pollos smartlinks, affecting diverse malware campaigns including Balada, DollyWay, and Sign1 operations.

These compromises have persisted for years, with some affiliate relationships dating back to May 2019, demonstrating the remarkable longevity and stability of VexTrio’s criminal infrastructure.

Infoblox analysts identified the intricate relationship between WordPress malware actors and malicious advertising technology through comprehensive analysis of over 4.5 million DNS queries spanning six months.

The researchers discovered that when Los Pollos announced the cessation of their push monetization services on November 17, 2024, multiple seemingly independent malware operations simultaneously migrated to what appeared to be a new TDS called Help TDS, revealing coordinated criminal infrastructure that had previously remained hidden.

The criminal enterprise operates through a complex web of affiliate advertising networks that blur the lines between legitimate marketing services and cybercrime.

VexTrio controls multiple entities including Los Pollos, Taco Loco, and Adtrafico, each serving different functions within the larger ecosystem.

These companies recruit both publishing affiliates who compromise websites and advertising affiliates who create the malicious content delivered to victims, creating a self-sustaining criminal economy that has generated substantial profits for participants over nearly a decade.

DNS TXT Record Command and Control Infrastructure

One of the most sophisticated aspects of VexTrio’s operation involves the abuse of DNS TXT records as a command and control mechanism, transforming the internet’s fundamental naming system into a covert communication channel for malware operations.

This technique, first documented by security researchers in August 2023, represents a significant evolution in malware infrastructure design that leverages the trusted nature of DNS communications to evade detection.

The malware campaigns utilize DNS TXT records to encode Base64-formatted URLs that direct compromised website visitors to malicious content.

When a victim visits an infected WordPress site, malicious scripts automatically query specific DNS domains controlled by the attackers, retrieving encoded redirection instructions that appear as legitimate DNS traffic to network monitoring systems.

The DNS query itself contains encoded information about the website visitor embedded in the hostname, allowing the command and control server to tailor responses based on victim characteristics such as geographic location, browser type, and referral source.

Analysis of the command and control infrastructure revealed two distinct operational clusters, each maintaining separate hosting arrangements and URL formatting conventions while ultimately directing traffic to the same criminal destinations.

The first cluster utilized domains such as cndatalos[.]com and data-cheklo[.]world hosted on IP addresses 46[.]30[.]45[.]27 and 65[.]108[.]195[.]250, while the second cluster employed domains like webdmonitor[.]io and logs-web[.]com on infrastructure including 185[.]11[.]61[.]37 and 185[.]234[.]216[.]54.

The sophistication of this DNS-based command and control system extends beyond simple URL redirection, incorporating dynamic response capabilities that allow operators to modify campaign behavior in real-time without updating malware on compromised websites.

This architectural approach provides unprecedented operational flexibility while maintaining persistence through automated monitoring systems that detect and reactivate disabled malicious plugins, making complete remediation particularly challenging for website administrators and security teams.

Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access