WordPress hackers are teaming up with commercial adtech firms to distribute malware to millions of users - here's how to stay safe

• Push notifications are now being used as malware delivery systems, and users are unknowingly subscribing to them
• Fake CAPTCHA prompts are now the gateway to persistent browser hijacks and phishing attacks
• WordPress sites are quietly hijacking users through invisible DNS commands and shared JavaScript payloads

Recent investigations have revealed a troubling alliance between WordPress hackers and commercial adtech companies, creating a vast infrastructure for distributing malware on a global scale.

Research from Infoblox Threat Intel found at the core of this operation is VexTrio, a traffic distribution system (TDS) responsible for rerouting web users through layers of fake ads, deceptive redirects, and fraudulent push notifications.

The report claims several commercial firms, including Los Pollos, Partners House, and RichAds, are entangled in this network, serving as both intermediaries and enablers.

Los Pollos connection and a failed shutdown

Infoblox initially tied Los Pollos to VexTrio when the former was implicated in Russian disinformation campaigns.

In response, Los Pollos claimed it would terminate its "push link monetization" model.

Despite this, the underlying malicious activity continued as attackers shifted to a new TDS known as Help, which was eventually linked back to VexTrio.

WordPress vulnerabilities served as the entry point for multiple malware campaigns, as attackers compromised thousands of websites, embedding malicious redirection scripts. These scripts relied on DNS TXT records as a command-and-control mechanism, determining where to send web visitors.

Analysis of over 4.5 million DNS responses between August and December 2024 revealed that even though various malware strains appeared separate, they shared infrastructure, hosting, and behavioral patterns that all led to VexTrio or its proxies, including Help TDS and Disposable TDS.

JavaScript across these platforms exhibited the same functions, disabling browser navigation controls, forcing redirects, and luring users with fake sweepstakes.

Interestingly, these TDSs are embedded within commercial adtech platforms that present themselves as legitimate affiliate networks.

"These firms maintained exclusive relationships with 'publisher affiliates,' in this context, the hackers, and knew their identities," researchers noted.

Push notifications have emerged as a particularly potent threat vector. Users are tricked into turning on browser notifications by using fake CAPTCHA prompts.

Hackers then send phishing or malware links after a user subscribes, evading firewall settings and even the best antivirus programs.

Some campaigns route these messages through reliable services like Google Firebase, making detection significantly more difficult.

The overlap between adtech platforms, including BroPush, RichAds, and Partners House, further complicates attribution.

Misconfigured DNS systems and reused scripts suggest a common backend, possibly even a shared development environment.

To tackle the risk, users should avoid turning on suspicious browser alerts, use tools that offer zero-trust network access (ZTNA), and be cautious when using CAPTCHA prompts.

By updating WordPress and monitoring for DNS anomalies, site administrators can reduce the likelihood of compromise.

Adtech companies, however, might have the actual lever and the key to closing these operations if they choose to act.

You might also like

• Downloaded something dodgy? These are the best malware removal tools
• Nail the basics with the best firewalls available now
• Stop using these 22 Android crypto and wallet apps ASAP, or you risk losing all your cryptocurrency