VexTrio: The biggest criminal programm

Infoblox has made a significant revelation regarding VexTrio, the criminal programm involving threat actors such as ClearFake and SocGholish.

These actors have established partnerships with a major entity known as VexTrio, described as the largest malicious traffic broker in security literature. Active since at least 2017, VexTrio employs a dictionary domain generation algorithm to propagate various malicious campaigns, distributing scams, riskware, spyware, adware, potentially unwanted programs, and pornographic content.

In 2022, VexTrio was involved in a Glupteba malware distribution cluster, overcoming Google’s attempts to take down its infrastructure. In August 2023, the group orchestrated a widespread attack using compromised WordPress websites, utilizing the Domain Name System (DNS) protocol to retrieve redirect URLs and operate as a DNS-based traffic distribution system. VexTrio is estimated to manage a network of over 70,000 known domains, brokering traffic for up to 60 affiliates, including ClearFake, SocGholish, and TikTok Refresh.

Distinctively, this programm operates its affiliate program by providing dedicated servers to each affiliate, with longstanding relationships. The affiliate attacks involve multiple actors, and VexTrio controls multiple Traffic Distribution System (TDS) networks to route visitors based on profile attributes, maximizing profits. VexTrio’s TDS consumes web traffic from other cybercriminals and sells it to its customers through a large and sophisticated cluster server utilizing thousands of domains.

Notably, SocGholish, a VexTrio affiliate, operates other TDS servers, such as Keitaro and Parrot TDS, the latter identified as active since October 2021. Parrot TDS injects malicious scripts into existing JavaScript code, facilitated by exploiting known security vulnerabilities in content management systems like WordPress and Joomla!. VexTrio’s affiliate network primarily targets vulnerable WordPress software versions to insert rogue JavaScript into HTML pages.


VexTrio is suspected of conducting its own cyber campaigns, abusing referral programs, and reselling web traffic received from affiliates to downstream threat actors. Infoblox emphasizes the difficulty in precise classification and attribution due to the complex design and entangled nature of the affiliate network, allowing VexTrio to thrive anonymously in the security industry for over six years.