Its role as an invisible traffic broker has kept it undetected by other vendors, complicating detection and tracking, according to Infoblox research, which has uncovered the following additional findings about VexTrio:

    • It operates their affiliate program in a unique way, providing a small number of dedicated servers to each affiliate. Each cyberattack uses DNS infrastructure owned by multiple cybercriminal entities. Participating cybercriminal affiliates will forward user traffic originating from their own services (such as a compromised website) to VexTrio-controlled traffic distribution system (TDS) servers. Subsequently, VexTrio relays these flows of user traffic to other cybercriminal affiliate networks or fake web pages. In many cases, VexTrio also redirects victims to their ongoing phishing campaigns.
    • Its affiliate relationships appear longstanding, possibly beginning in 2017 or earlier. For example, SocGholish has been an affiliate since at least April 2022. ClearFake has been assessed to have worked with VexTrio throughout its lifetime; at least since launching their campaigns in August 2023.
    • VexTrio’s attack chains can include multiple actors, with up to four actors being noted in an attack sequence.
    • The group and its affiliates are abusing referral programs related to McAfee and Benaughty.
    • It controls multiple TDS networks that function in different ways. In particular, a new DNS-based TDS was first observed in late-December 2023.