VexTrio is a significant player in the cybercrime world [2], operating as part of a large “legal associates program” and being described as the ” [2]single largest malicious traffic dealer.”


Since at least 2017, VexTrio has established partnerships with various threat actors [1] [4], including ClearFake and SocGholish [2] [4], as part of a criminal affiliate program [1] [4]. They have been involved in various malicious campaigns [2], utilizing a dictionary domain generation algorithm (DDGA) to generate domains and propagate scams [2], riskware [1] [2] [4], spyware [1] [2] [4], adware [1] [2] [4], potentially unwanted programs (PUPs) [1] [2] [4], and pornographic content [1] [2] [4]. In 2022, they distributed the Glupteba malware following an attempt by Google to take down its infrastructure [1]. They also orchestrated a widespread attack involving compromised WordPress websites in August 2023 [1] [2].

VexTrio operates a vast network of over 70,000 known domains and brokers traffic for around 60 affiliates [1] [2] [4], including ClearFake [2] [4], SocGholish [2] [4], and TikTok Refresh [2]. They employ a traffic distribution system (TDS) to direct website visitors to illegitimate content based on their profile attributes [1] [2] [4], maximizing their revenue [2]. VexTrio’s TDS is a complex cluster server that utilizes tens of thousands of domains and operates on both HTTP and DNS protocols [2]. They have two flavors of TDS [4], one based on HTTP and another based on DNS [1] [4]. One of their affiliates [2] [4], SocGholish [2] [4], operates other TDS servers such as Keitaro and Parrot TDS [2]. Parrot TDS injects malicious scripts into existing JavaScript code on compromised servers and has been active since October 2021 [2].

VexTrio and its affiliates specifically target vulnerable versions of WordPress to insert rogue JavaScript [2]. They are suspected of carrying out their own cyberattack campaigns and monetizing web traffic through referral program abuse [2]. The intricate design and entangled nature of VexTrio make it challenging to classify and attribute [2], allowing them to remain anonymous to the security industry for over six years [2]. Blocking VexTrio traffic in DNS can effectively block all related cybercrime activities [4]. VexTrio is described as the most widespread threat actor [3], affecting over half of all organizations monitored in the past two years [3].


Taking action against the middleman in these operations is challenging [3], but collaboration and sharing of information are recommended to combat them [3]. VexTrio’s advanced business model facilitates partnerships with other actors and creates a resilient ecosystem [1]. It is crucial to block VexTrio traffic in DNS to effectively block all related cybercrime activities [4]. The impact of VexTrio’s activities is significant, affecting a large number of organizations. Mitigating their actions requires collective efforts and information sharing. The future implications of VexTrio’s operations highlight the need for continued vigilance and collaboration in the fight against cybercrime.