Cyber Security
Infoblox Uncovers VexTrio’s Extensive Criminal Affiliate Scheme

Infoblox has recently unveiled new research that provides crucial insights into the cybercriminal entity known as VexTrio. This research exposes VexTrio’s intricate network of malicious connections with other cybercriminal enterprises, such as ClearFake and SocGholish. The research, conducted in collaboration with the security researcher who discovered the ClearFake malware, aims to reveal the extent of these threat actors’ affiliations and expose their illicit activities that have been detected globally.
VexTrio controls a vast and malicious network that reaches a broad audience of internet users. Through a criminal affiliate program with over 60 partners, including high-profile entities like SocGholish and ClearFake, it has become the most pervasive DNS threat actor. Operating for six years and impacting over 50% of customer networks, its role as an invisible traffic broker has kept it undetected by other vendors, complicating detection and tracking.
Infoblox’s research has also yielded several other significant findings:
- VexTrio uniquely operates its affiliate program, providing a small number of dedicated servers to each affiliate.
- VexTrio’s affiliate relationships appear to be longstanding. For instance, SocGholish has been a VexTrio affiliate since at least April 2022. While less total time, ClearFake has been assessed to have worked with VexTrio throughout its lifetime; at least since launching their campaigns in August 2023.
- VexTrio attack chains can include multiple actors. Four actors have been observed in an attack sequence.
- VexTrio and its affiliates are abusing referral programs related to McAfee and Benaughty.
- VexTrio controls multiple TDS networks, which function in different ways. A new DNS-based TDS was first observed in late December 2023.
Infoblox has been tracking VexTrio via DNS since 2020, but new evidence shows their enterprise began in 2017, possibly earlier. The ongoing evolution of VexTrio, coupled with its partnership with significant actors like SocGholish, highlights its crucial role in the criminal industry, contributing to the industry’s lack of recognition.
VexTrio’s affiliate program operates similarly to a legitimate marketing affiliate network. Each cyberattack uses DNS infrastructure owned by multiple cybercriminal entities. Participating cybercriminal affiliates will forward user traffic originating from their services (such as a compromised website) to VexTrio-controlled TDS servers. Subsequently, VexTrio relays these flows of user traffic to other cybercriminal affiliate networks or fake web pages. In many cases, VexTrio also redirects victims to their ongoing phishing campaigns.
While SocGholish and ClearFake are most associated with malware and fake software update pages, these two entities operate TDS servers to route internet users based on their details – device information, operating system, location, and other personal details.
The research underscores the critical role of TDS in the estimated $8 trillion cybercrime economy. Globally, the cost of cybercrime is estimated at over US$7 trillion and is expected to grow steadily over the years. In the Asia-Pacific region, the rapid pace of digitalization and the accelerated adoption of new technologies have made it one of the major hotspots for cybercrime.
Cyber Security
Cloud and IoT Vulnerabilities Expose Smart Cities and Industrial Systems to Cyber Risks

Ezzeldin Husein, the Regional Senior Director for Solution Engineering – META at SentinelOne says cyberattacks on MEA’s critical infrastructure are becoming more sophisticated, with nation-state actors, ransomware gangs, and hacktivists targeting energy, finance, and transportation sectors (more…)
Cyber Security
Cyberattacks on Critical Infrastructure Originate from Nation-State Actors or Sophisticated APT Groups

Saran B. Paramasivam, the Regional Director for Middle East and Africa (MEA) at Zoho says the most notable trends in cyber attacks targeting critical infrastructure systems are the rise of ransomware and social engineering attacks (more…)
Cyber Security
APT Groups Are Increasingly Targeting OT Systems

Ilya Leonov, the Regional Director for MENA at Positive Technologies says many organisations rely on legacy OT systems with limited security controls, making them attractive targets for cybercriminals (more…)
-
Artificial Intelligence1 week ago
DeepSeek-R1 AI Poses 11x Higher Harmful Content Risk
-
Artificial Intelligence6 days ago
DeepSeek Popularity Exploited in Latest PyPI Attack
-
Artificial Intelligence6 days ago
SentinelOne to Spotlight AI-Driven Cybersecurity at LEAP 2025
-
Cyber Security3 days ago
Employees Are the First Line of Defense
-
News5 days ago
Sophos Completes Secureworks Acquisition
-
Homeland Security1 week ago
Daimler Truck Focuses on Growth in the Defence Sector
-
Cyber Security3 days ago
Proactive Threat Intelligence Can Keep Threats at Bay
-
Cyber Security1 week ago
Tenable Plans to Acquire Vulcan Cyber