Vextrio

Threat Actor updated 5 months ago (2024-05-04T20:45:34.033Z)

Download STIX

Preview STIX

VexTrio, a large cyber threat distributor, has been identified as a significant traffic broker for cybercriminals, according to Check Point Research's January 2024 Most Wanted Malware report. The entity operates one of the most extensive HTTP-based Traffic Direction System (TDS) networks, with an infrastructure built on a network of over 70,000 hijacked websites used to distribute malicious content. This operation forms part of an emerging ecosystem of cybercrime that leverages TDS networks, where VexTrio stands out due to its size and impact. The modus operandi of VexTrio includes maintaining numerous compromised websites and affiliates, ensuring a constant flow of malicious traffic even when some clients are neutralized by cyber defenders. They employ sophisticated techniques such as injecting exposed sites with malicious JavaScript, which prompts users with fake browser update notifications. Furthermore, VexTrio's TDS servers quickly filter traffic based on information gleaned from browser settings and cached data, including the target's operating system, location, and other potentially relevant data. Notably, VexTrio has established strategic partnerships with other notable threat actors like SocGholish and ClearFake, who also run their own TDS but pass victims to VexTrio's TDS. Adding to its robust operations, VexTrio continues to register large quantities of domains daily, using a dictionary-based domain-generation algorithm. This method provides them with a ready, ever-changing supply of domains for hosting malicious content, contributing to an estimated total of at least 70,000 malicious domains under their control.

Description last updated: 2024-02-28T15:16:09.007Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Cybercrime

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Socgholish Malware is associated with Vextrio. SocGholish is a malicious software (malware) that has been significantly prevalent in cyber threats over recent years. In 2022, it was observed being used in conjunction with the Parrot TDS to deliver the FakeUpdates downloader to unsuspecting visitors on compromised websites. By late 2022, Microsof	Unspecified	2
The Clearfake Malware is associated with Vextrio. ClearFake is a malicious software (malware) that has been identified as a significant threat to computer systems, specifically targeting macOS through an information stealer known as AMOS. This malware operates by compromising legitimate websites with harmful HTML and JavaScript, masquerading as a f	Unspecified	2

Source Document References

Information about the Vextrio Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	8 months ago	'Savvy Seahorse' Hackers Debut Novel DNS CNAME Trick \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
DARKReading	8 months ago	'Savvy Seahorse' Hackers Debut Novel DNS CNAME Trick
CERT-EU	8 months ago	Orgs are having a major identity crisis
Checkpoint	8 months ago	12th February – Threat Intelligence Report - Check Point Research
BankInfoSecurity	9 months ago	Malicious Traffic Distribution System Spotted by Researchers
DARKReading	9 months ago	'VexTrio' TDS: The Biggest Cybercrime Operation on the Web?