VexTrio, a long-standing cybercriminal operation active since at least 2015, has executed one of the largest known compromise campaigns targeting WordPress websites, hijacking hundreds of thousands of sites globally. The group's objective is to build and operate large-scale traffic distribution systems (TDS) that reroute unsuspecting visitors into fraudulent advertising and scam networks. VexTrio’s monetization model marks a shift in cybercrime tactics, transforming legitimate websites into profit-generating assets for criminal ad operations. Their network includes entities like Los Pollos, Taco Loco, and Adtrafico, each playing a role in an ecosystem where publishing affiliates infect websites while advertising affiliates deliver malicious content.

The full extent of VexTrio’s infrastructure surfaced when researchers linked Los Pollos, a Swiss-Czech ad tech firm, to the group, revealing that nearly 40% of affected sites were redirecting traffic through its smartlinks. Campaigns like Balada, DollyWay, and Sign1 were all routed via VexTrio’s infrastructure. Despite some affiliate relationships dating back to 2019, the criminal network remained operationally stable and resilient. When Los Pollos shut down its push monetization in November 2024, researchers observed an abrupt migration to a new system called Help TDS, suggesting deep coordination among multiple malware campaigns that previously appeared to be independent.

One of the most technically advanced components of this operation is VexTrio’s use of DNS TXT records for command and control (C2). This method involves embedding Base64-encoded URLs in DNS responses, which are then used to deliver redirection instructions to victims based on their geographic and browser details. These instructions are embedded in seemingly normal DNS queries, allowing the malicious activity to bypass traditional network monitoring systems. The ability to tailor C2 responses in real-time without modifying malware gives VexTrio an edge in maintaining campaign agility and avoiding detection.

Researchers identified two main C2 clusters operating within this architecture. The first cluster used domains like cndatalos[.]com and data-cheklo[.]world hosted on IPs such as 46.30.45.27, while the second utilized webdmonitor[.]io and logs-web[.]com on infrastructure like 185.11.61.37. These domains served as critical components of a distributed infrastructure capable of delivering personalized malicious content. The operation’s persistence is further reinforced by automated systems that monitor and restore disabled plugins on infected sites, making it highly resilient against cleanup efforts by defenders. This sophistication, combined with a complex affiliate-driven economy, places VexTrio among the most formidable long-term threats to web infrastructure today.