The research underscores the critical role of TDS in the estimated $8 trillion cybercrime economy. Globally, the cost of cybercrime is estimated at over US$7 trillion and is expected to grow steadily over the years. In the Asia-Pacific region, the rapid pace of digitalization and the accelerated adoption of new technologies have made it one of the major hotspots for cybercrime.
Infoblox has recently released new research that unveils critical insights into the cybercriminal entity VexTrio, exposing its complex network of malicious connections with other cybercriminal enterprises, such as ClearFake and SocGholish. This work, done in collaboration with the security researcher who discovered the ClearFake malware, aims to reveal the depth of these threat actors’ affiliations and expose their illicit activities that have also been detected within networks globally.
VexTrio controls a large and malicious network that reaches a wide audience of internet users. Through a criminal affiliate program with over 60 partners, including high-profile entities like SocGholish and ClearFake – it stands out as the most pervasive DNS threat actor, operating for six years and impacting over 50% of customer networks. Its role as an invisible traffic broker has kept it undetected by other vendors, complicating detection and tracking.
Infoblox’s research also noted that VexTrio operates their affiliate program in a unique way, providing a small number of dedicated servers to each affiliate. VexTrio’s affiliate relationships appear longstanding. For example, SocGholish has been a VexTrio affiliate since at least April 2022. While less total time, we assess ClearFake has worked with VexTrio throughout its lifetime; at least since launching their campaigns in August 2023.
VexTrio’s affiliate program operates similarly to a legitimate marketing affiliate network. Each cyberattack uses DNS infrastructure owned by multiple cybercriminal entities. Participating cybercriminal affiliates will forward user traffic originating from their own services (such as a compromised website) to VexTrio-controlled TDS servers. Subsequently, VexTrio relays these flows of user traffic to other cybercriminal affiliate networks or fake web pages. In many cases, VexTrio also redirects victims to their ongoing phishing campaigns.
