VexTrio: most malicious DNS threat actor identified

B2B Cyber ​​Security ShortNews

Share post

A DNS management and security provider has exposed and blocked VexTrio, a complex criminal affiliate program. This increases cybersecurity.

Infoblox has made another important discovery in the fight against cybercrime: In a comprehensive blog post today, the company presents its findings about VexTrio, operator of a massive criminal affiliate network. VexTrio has played a central role in processing traffic for years. Although VexTrio is difficult to identify and track, blocking it directly disrupts a variety of cybercriminal activities. Through its discovery, Infoblox has helped make all of cyberspace safer.

Infoblox aims to raise awareness of the threat posed by traffic distribution systems (TDS) by targeting these structures - and advocates for increased industry-wide collaboration in detecting, identifying and combating malicious TDS providers.

How the VexTrio Affiliate Program Works

The criminal ecosystem VexTrio: This is how the affiliate program works (Image: Infoblox)

🔎 The criminal ecosystem VexTrio: This is how the affiliate program works (Image: Infoblox)

VexTrio's affiliate program works similarly to reputable marketing affiliate networks. Each attack typically affects the infrastructure of multiple companies. VexTrio partners redirect traffic originating from their own networks (e.g. compromised websites) to the TDS servers controlled by VexTrio. VexTrio then selectively transmits this traffic to the malicious sites of other actors or to other malicious affiliate networks. In addition, VexTrio not only provides the criminal infrastructure for others, but also acts as a threat actor itself, executing malicious campaigns.

The key findings of the comprehensive Infoblox report on VexTrio:

  • VexTrio has well-known partners such as ClearFake and SocGholish.
  • VexTrio has at least 60 partners, making it the largest malicious traffic broker described in the security literature.
  • VexTrio operates its affiliate program in a unique way by providing each affiliate with a small number of dedicated servers.
  • VexTrio maintains long-term partnerships. For example, SocGholish has been a VexTrio partner since at least April 2022.
  • VexTrio's attack chains can involve multiple actors. Infoblox has previously been able to observe up to four actors in a single attack sequence.
  • VexTrio and its partners abuse McAfee and Benaughty referral programs.
  • VexTrio controls multiple TDS networks that function in different ways. It was only at the end of December that Infoblox unveiled a new DNS-based TDS.
  • VexTrio's domain generation systems are constantly evolving. Therefore, relying solely on a static list of words or top-level domains (TLDs) based on domain history is ineffective. This approach is not enough to detect all VexTrio domains, of which there are now more than 70.000.
  • VexTrio has made a significant shift from dedicated hosting and name servers to shared providers. Since Infoblox first discovered VexTrio, over 55% of VexTrio domains that were previously dedicated to dedicated infrastructure have migrated to shared hosting.
More at


About Infoblox

Infoblox combines network management and security, ensuring exceptional performance and optimal protection. Both Fortune 100 companies and emerging young companies value Infoblox for real-time visibility and control over who and what is connecting to their network. This allows companies to work faster and stop threats sooner.

Matching articles on the topic

Report: 40 percent more phishing worldwide

The current spam and phishing report from Kaspersky for 2023 speaks for itself: users in Germany are after ➡ Read more

BSI sets minimum standards for web browsers

The BSI has revised the minimum standard for web browsers for administration and published version 3.0. You can remember that ➡ Read more

Stealth malware targets European companies

Hackers are attacking many companies across Europe with stealth malware. ESET researchers have reported a dramatic increase in so-called AceCryptor attacks via ➡ Read more

IT security: Basis for LockBit 4.0 defused

Trend Micro, working with the UK's National Crime Agency (NCA), analyzed the unpublished version that was in development ➡ Read more

MDR and XDR via Google Workspace

Whether in a cafe, airport terminal or home office – employees work in many places. However, this development also brings challenges ➡ Read more

Test: Security software for endpoints and individual PCs

The latest test results from the AV-TEST laboratory show very good performance of 16 established protection solutions for Windows ➡ Read more

FBI: Internet Crime Report counts $12,5 billion in damage 

The FBI's Internet Crime Complaint Center (IC3) has released its 2023 Internet Crime Report, which includes information from over 880.000 ➡ Read more

HeadCrab 2.0 discovered

The HeadCrab campaign against Redis servers, which has been active since 2021, continues to successfully infect targets with the new version. The criminals' mini-blog ➡ Read more