{ "name": "What is the Real Relationship between WordPress Hackers and Malicious Adtech?", "slug": "what-is-the-real-relationship-between-wordpress-hackers-and-malicious-adtech", "description": "An investigation into VexTrio, a malicious traffic distribution system (TDS), revealed surprising connections between WordPress hackers and adtech companies. When VexTrio's operations were disrupted, multiple malware actors migrated to a new TDS that was discovered to be related to VexTrio. Several commercial TDSs were found to share software elements with VexTrio and benefit from its relationship with website malware actors. The investigation uncovered a complex network of adtech firms, including Partners House, BroPush, and RichAds, that use similar technologies and tactics to distribute malicious content. These firms have information about the identities of malware actors, which could potentially lead to their disruption.", "published": "2025-06-13T05:59:41+00:00", "created_at": "2025-06-13T05:59:41+00:00", "modified_at": "2025-06-13T06:28:44+00:00", "created_at_opencti": "2025-06-13T05:59:41+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-06-13", "adtech", "affiliate networks", "balada", "dns", "dollyway", "hackers", "malware", "push notifications", "sign1", "tds", "wordpress" ], "related_entities": { "observables": [ { "id": "", "name": "46.30.45.27" }, { "id": "", "name": "185.161.248.253" }, { "id": "", "name": "185.11.61.37" }, { "id": "", "name": "185.234.216.54" }, { "id": "", "name": "https://help.scaleo.io/article/414-los-pollos-affiliate-network" }, { "id": "", "name": "http://somenth.bilitere.shop/?utm_medium=" }, { "id": "", "name": "http://pushtorm.net/System/AddSubscriber" }, { "id": "", "name": "mvgde.stonecoremason.com" }, { "id": "", "name": "mvgde.sec-tl-129-d.buzz" }, { "id": "", "name": "mvgde.sec-tl-129-b.buzz" }, { "id": "", "name": "mvgde.runicartisan.top" }, { "id": "", "name": "mvgde.runesmith.top" }, { "id": "", "name": "mvgde.mountbliss.top" }, { "id": "", "name": "mnz.oktrkme.com" }, { "id": "", "name": "i8b.wstbaw.com" }, { "id": "", "name": "help.scaleo.io" }, { "id": "", "name": "gzeao.check-tl-ver-154-2.com" }, { "id": "", "name": "gzeao.check-tl-ver-116-3.com" }, { "id": "", "name": "gzeao.cavernexplorer.com" }, { "id": "", "name": "fe12.brpdataboxx.today" }, { "id": "", "name": "f68wy7o9ezwwtqc1do.oscarey.my.id" }, { "id": "", "name": "date.oktrkme.com" }, { "id": "", "name": "d3l.wstbaw.com" }, { "id": "", "name": "cdn.jmp-assets.com" }, { "id": "", "name": "c62a.rpbuildhub.xyz" }, { "id": "", "name": "b9ab1.rpbuildit.xyz" }, { "id": "", "name": "9c3e1.rpdiscover.xyz" }, { "id": "", "name": "7r6.fmqrsj.com" }, { "id": "", "name": "702942e07c.hotbkebani.cc" }, { "id": "", "name": "6.lands.ninja" }, { "id": "", "name": "6.enlala.com" }, { "id": "", "name": "5435.rpknowledge.xyz" }, { "id": "", "name": "43ff.rpstreamfx.xyz" }, { "id": "", "name": "3ic.ymehtq.com" }, { "id": "", "name": "2zhyl.iqfmvj.com" }, { "id": "", "name": "2rt.xcumpw.com" }, { "id": "", "name": "2765516796.news-xdujuwe.xyz" }, { "id": "", "name": "209c.brpteamwork.cc" }, { "id": "", "name": "1azo7.iqfmvj.com" }, { "id": "", "name": "0cc79f7666.news-xzomigu.cc" }, { "id": "", "name": "06254a045e.news-xkijeki.store" }, { "id": "", "name": "0605ee9ae7.hotbfocuhe.cc" }, { "id": "", "name": "01be885d26.hotbwixife.today" }, { "id": "", "name": "01afa41bf2.news-xceyuna.live" }, { "id": "", "name": "0.to6s.biz" }, { "id": "", "name": "0.strongblackspaces.com" }, { "id": "", "name": "0.se11.biz" }, { "id": "", "name": "0.robotverifier.com" }, { "id": "", "name": "0.mo10.biz" }, { "id": "", "name": "0.blueskyactivecontrol.com" }, { "id": "", "name": "web-hosts.io" }, { "id": "", "name": "vipbonusgain.top" }, { "id": "", "name": "sweetrnd.net" }, { "id": "", "name": "siteforyou3d.com" }, { "id": "", "name": "scoretopprizes.top" }, { "id": "", "name": "rpn-news3.club" }, { "id": "", "name": "robotverifier.com" }, { "id": "", "name": "ritardalarmser.gq" }, { "id": "", "name": "purinagun.ru" }, { "id": "", "name": "prefez.shop" }, { "id": "", "name": "participates.cfd" }, { "id": "", "name": "phenotypebest.com" }, { "id": "", "name": "pacocha.shop" }, { "id": "", "name": "oktrkme.com" }, { "id": "", "name": "ospeau.com" }, { "id": "", "name": "notification-centr.com" }, { "id": "", "name": "msgdetox.com" }, { "id": "", "name": "news-abcd.cc" }, { "id": "", "name": "lookup-domain.com" }, { "id": "", "name": "logs-web.com" }, { "id": "", "name": "knowableuniverse.co" }, { "id": "", "name": "infosystemsllc.com" }, { "id": "", "name": "dns-routing.com" }, { "id": "", "name": "deidrerealestate.co" }, { "id": "", "name": "data-infox.com" }, { "id": "", "name": "data-cheklo.world" }, { "id": "", "name": "co34.space" }, { "id": "", "name": "cndatalos.com" }, { "id": "", "name": "cloud-stats.com" }, { "id": "", "name": "cdsecurecloud-dt.com" }, { "id": "", "name": "cdn-routing.com" }, { "id": "", "name": "betelgeuserigel.com" }, { "id": "", "name": "airlogs.net" } ], "malware": [ { "id": "legacy:malware:416f1815457bba07", "name": "Balada", "slug": "balada" }, { "id": "5a7e2567-4406-49e8-ae09-f10dc095bf64", "name": "DollyWay", "slug": "dollyway" }, { "id": "af106849-49b5-426b-91e4-2fb00ba1d819", "name": "Sign1", "slug": "sign1" } ], "intrusion_sets": [ { "id": "416b1b6f-63c3-4c69-bc29-231cba9a327d", "name": "VexTrio", "slug": "vextrio" } ], "attack_patterns": [ { "id": "75702b35-b790-4504-a1e0-7829e76f22e9", "name": "T1585" }, { "id": "6babd5aa-5112-4f14-a660-60d756a65d6d", "name": "T1586" }, { "id": "74d5f31c-5e2d-4aed-b8b9-4fabdde76dfa", "name": "T1598" }, { "id": "dc342445-1b78-48b4-aa06-89ed2ad7c28e", "name": "T1071" }, { "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d", "name": "T1102" }, { "id": "50514c04-b3a2-4abf-a855-e3a434200c87", "name": "T1204" }, { "id": "c340d47a-2ea8-41ca-9a0b-a72559b89bbf", "name": "T1584" }, { "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62", "name": "T1190" } ], "others": [ { "id": "", "name": "Czechia" }, { "id": "", "name": "Switzerland" }, { "id": "", "name": "Russian Federation" }, { "id": "", "name": "19a1.brpconnecta.digital" } ] }, "external_refs": [ "https://blogs.infoblox.com/threat-intelligence/vexing-and-vicious-the-eerie-relationship-between-wordpress-hackers-and-an-adtech-cabal/", "https://otx.alienvault.com/pulse/684bda6d032b4c4aeb5ec33c" ] }