Vextrio

Threat Actor updated 2 days ago (2024-11-20T18:10:54.223Z)

Download STIX

Preview STIX

Vextrio, a significant threat actor in the cybercrime landscape, has been uncovered as a major traffic broker for cybercriminals by Check Point Research's January 2024 Most Wanted Malware report. The group operates Vextrio Viper, a Traffic Distribution System (TDS) network established in 2020, which links compromised domains to an affiliate network of over 65 partners. These partners redirect users to phishing, malware, and scam sites, contributing to the development of extensive cybercrime ecosystems around HTTP-based TDS networks. The Vextrio network consists of approximately 70,000 hijacked websites used for distributing malware and conducting fraud. Infoblox, a cybersecurity firm, noted that while other cybercrime groups like SocGholish and ClearFake operate their own TDS networks, they also have strategic partnerships with Vextrio, effectively passing victims to its TDS. Moreover, Vextrio continues to register large quantities of domains daily using a dictionary-based domain-generation algorithm, providing a constantly changing supply of domains for hosting malicious content. Since its inception six years ago, Vextrio has taken over multiple legitimate domains, including a hospital website in Colombia and various WordPress sites with known vulnerabilities, allowing them to reroute user traffic. According to a report from Infoblox, Vextrio maintains multiple traffic distribution systems used by over 60 affiliates, indicating the group's influence and reach within the cybercrime community. This vast network and its ongoing activities underline Vextrio's role as a central operator in the cybercrime ecosystem.

Description last updated: 2024-11-15T16:16:17.263Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Cybercrime

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Socgholish Malware is associated with Vextrio. SocGholish is a malicious software (malware) that has been significantly prevalent in cyber threats over recent years. In 2022, it was observed being used in conjunction with the Parrot TDS to deliver the FakeUpdates downloader to unsuspecting visitors on compromised websites. By late 2022, Microsof	Unspecified	2
The Clearfake Malware is associated with Vextrio. ClearFake is a malicious software, or malware, that has been identified as a significant threat to cybersecurity. Its primary method of propagation is through fake browser updates, encouraging users to copy and execute harmful PowerShell commands. This deceptive approach enables cybercriminals to in	Unspecified	2

Source Document References

Information about the Vextrio Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	7 days ago	Sitting Ducks DNS Attacks Put Global Domains at Risk
CERT-EU	9 months ago	'Savvy Seahorse' Hackers Debut Novel DNS CNAME Trick \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
DARKReading	9 months ago	'Savvy Seahorse' Hackers Debut Novel DNS CNAME Trick
CERT-EU	9 months ago	Orgs are having a major identity crisis
Checkpoint	9 months ago	12th February – Threat Intelligence Report - Check Point Research
BankInfoSecurity	10 months ago	Malicious Traffic Distribution System Spotted by Researchers
DARKReading	10 months ago	'VexTrio' TDS: The Biggest Cybercrime Operation on the Web?