Threat Research

Inside the Robot: Deconstructing VexTrio’s Affiliate Advertising Platform

Infoblox
Inside the Robot: Deconstructing VexTrio’s Affiliate Advertising Platform

VexTrio operates a large, resilient malicious adtech and traffic distribution infrastructure that leverages trackers (Binom, Keitaro), cloakers (IM KLO), CDNs, and automation tools to run global spamming, scamming, and scareware campaigns. Key infrastructure elements include dedicated IP ranges and CDN domains (e.g., imghst-de[.]com), DevOps tooling (Terraform, Kubernetes, GitLab), and affiliate networks like RollerAds that funnel victims into VexTrio-controlled trackers and landing pages. #Binom #IMKLO

Keypoints

  • VexTrio is an extensive malicious adtech enterprise using dedicated IP ranges (e.g., AS5398, AS203639) and historical DNS/BGP analysis to map its infrastructure.
  • Their TDS handles billions of transactions daily while relying on automation and DevOps tooling such as Terraform, Consul, Vault, Kubernetes, Proxmox, GitLab, and Argo.
  • VexTrio extensively uses self-hosted trackers—especially Binom—to log clicks, route users by profile (age, browser, OS, geolocation), and function as cloakers/TDS.
  • Affiliates and ad networks (RollerAds, Propeller Ads, Push House, RichPush) pass demographic and behavioral data to VexTrio trackers, enabling targeted scams and scareware.
  • They employ dedicated cloaking software (IM KLO and related IM GROUP tools) to evade social-media ad reviews and remove negative comments.
  • Critical CDN domains (notably imghst-de[.]com and others) act as kill switches; if disrupted, many campaigns would fail despite distributed hosting (Cloudflare, Akamai, Amazon).
  • VexTrio’s infrastructure is comparatively small in VM count yet globally effective, and their CDN domains have unusually high popularity and low detection signals (e.g., minimal VirusTotal flags).

MITRE Techniques

  • [T1071] Application Layer Protocol – Used to deliver ads, trackers, and scareware via HTTP/HTTPS through CDNs and web redirects; quoted: ‘clicking on one notification … led us to the RollerAd TDS (pr3tty-fly4[.]com) … RollerAds passed our data to a Binom server (hktrk[.]com)’.
  • [T1583] Acquire Infrastructure – VexTrio registers and operates domains, IP ranges, and CDN assets (imghst-de[.]com, lp-assets[.]com) to host TDS, trackers, and landing pages; quoted: ‘we identified … multiple prefixes—and a truckload of passive DNS uncovering their infrastructure’.
  • [T1588] Obtain Capabilities – Use of third-party commercial tools (Binom, Keitaro, IM KLO) to perform tracking, cloaking, and campaign optimization; quoted: ‘VexTrio relies on third-party tools such as Binom and Keitaro … primarily use IM KLO’.
  • [T1078] Valid Accounts – Use of registrar accounts and CDN/pro accounts (Cloudflare Pro, Akamai) to host popular CDN domains and maintain service despite abuse reports; quoted: ‘We suspect that the domain’s account is enrolled in a CloudflarePro plan …’.
  • [T1608] Stage Capabilities – Use of DevOps automation (Terraform, Consul, Vault, Kubernetes, GitLab, Argo) to scale and relocate TDS and campaign infrastructure quickly; quoted: ‘DNS hostnames revealed the use of Hashi Corp software (Terraform, Consul and Vault), Kubernetes, Proxmox, Gitlab and Argo’.
  • [T1496] Resource Hijacking (abuse of trusted services) – Leveraging high-reputation CDNs and cloud providers (Cloudflare, Akamai, Amazon) to host malicious content with reduced detection; quoted: ‘imghst-de[.]com is behind Cloudflare’s CDN … CNAME records that point to Akamai’s edge hostnames’.
  • [T1204] User Execution – Luring users via push notifications and malicious ads to click-through flows that lead to scareware and fake antivirus pages; quoted: ‘a push notification from an infected phone redirected user to the Binom tracker … and on to a scareware page’.

Indicators of Compromise

  • [Domain ] VexTrio CDN and tracker domains – imghst-de[.]com, jmp-assets[.]com (CDN domains used to deliver images/JS and critical resources).
  • [Domain ] Binom and tracker domains – hktrk[.]com, lpmbtrk[.]com (Binom tracker servers and tracker domains; and dozens more).
  • [IP Address ] Hosting in VexTrio IP ranges – 46[.]21[.]30[.]248, 185[.]155[.]186[.]48 (A records for www.lospollos[.]com observed in AS5398/AS203639).
  • [Hostname/URL ] TDS and affiliate TLDs – pr3tty-fly4[.]com (RollerAds TDS endpoint that forwarded parameters to Binom).
  • [Registrar/Service ] CDN/Cloud providers context – Cloudflare-protected imghst-de[.]com, Akamai CNAMEs for various CDN domains (e.g., jmpcdn[.]com) used to serve malicious JS and assets.

Read more: https://blogs.infoblox.com/threat-intelligence/inside-the-robot-deconstructing-vextrios-affiliate-advertising-platform/