Infoblox Detects Connection Between WordPress Hackers and TDS Networks Linked to VexTrio

Cybersecurity firm Infoblox has identified a direct connection between hackers compromising WordPress sites and traffic distribution networks (TDS) linked to the malicious group VexTrio, a complex structure that acts as a key intermediary in the supply chain of multiple malware campaigns.

The finding was made by Infoblox Threat Intel, the company’s intelligence unit, through a set of observational studies in which deliberate alterations were introduced into the behaviour of suspicious TDS. When VexTrio’s operations were disrupted, it was observed that various malicious agents quickly migrated to a new system: Help TDS, apparently linked to the same actor.

A sophisticated Adtech and DNS-based supply chain

The analysis revealed that several TDSs on the market shared software and resources with VexTrio, and that all of them used advertising (Adtech) technologies such as Partners House, Bro Push or RichAds to distribute malicious content. This has made it possible to trace the technical and operational relationships between hackers and traffic providers, a key tactic for customising and scaling attacks against users around the world.

By studying 4.5 million DNS TXT records over six months, Infoblox also located two command and control (C2) servers hosted on Russian infrastructure, providing critical information about the malicious DNS infrastructure used by these actors.

A threat affecting thousands of legitimate sites

The use of WordPress and other CMSs as an entry point makes VexTrio and its associates a persistent threat. According to the report, VexTrio’s structure allows it to quickly compromise thousands of legitimate sites, negatively impacting the brand reputation of victim organisations and exposing millions of users to customised malware campaigns.

Furthermore, the relationship between hackers and malicious TDS networks demonstrates a high degree of adaptability. When their operations are detected or disrupted, they quickly migrate their infrastructure and continue to exploit vulnerabilities through alternative channels, such as new associated TDS.

The Adtech paradox: attack vector and vulnerability

One of the most relevant findings of the Infoblox report is that the use of Adtech technology is both a strength and a weakness for attackers. By operating with commercial digital advertising platforms, researchers were able to identify unique identifiers of malware operators, inaugurating the door to collaboration with Adtech providers to track and deactivate malicious campaigns.

Recommendations for proactive defence

Infoblox emphasises the importance of including DNS-based security solutions to protect against fraudulent TDS. Protective DNS services, combined with DNS auditing and record maintenance practices, can block access to malicious content before it reaches the user.

It also advises raising user awareness to avoid falling into traps such as malicious push notifications, and disabling cloud services that are no longer active by deleting their associated DNS records.

With this new discovery, the company reinforces its role in the advanced defence of the DNS ecosystem, a critical and often underestimated layer in enterprise cybersecurity strategies.