Infoblox has recently released new research that unveils critical insights into the cybercriminal entity VexTrio, exposing its complex network of malicious connections with other cybercriminal enterprises, such as ClearFake and SocGholish.
This work, done in collaboration with the security researcher who discovered the ClearFake malware, aims to reveal the depth of these threat actors’ affiliations and expose their illicit activities that have also been detected within networks globally.
VexTrio controls a large and malicious network that reaches a wide audience of Internet users. Through a criminal affiliate program with over 60 partners, including high-profile entities like SocGholish and ClearFake – it stands out as the most pervasive DNS threat actor, operating for six years and impacting over 50% of customer networks. Its role as an invisible traffic broker has kept it undetected by other vendors.
Infoblox’s research has also generated a number of other major findings. In particular:
- VexTrio operates its affiliate program in a unique way, providing a small number of dedicated servers to each affiliate.
- VexTrio’s affiliate relationships appear longstanding. For example, SocGholish has been a VexTrio affiliate since at least April 2022. Infoblox assess ClearFake has worked with VexTrio throughout its lifetime; at least since launching their campaigns in August 2023.