- Push -Messages are now used as malware -delivery systems, and users are unconsciously subscribing to them
- False CAPTCHA requests are now the gate of sustained browser capsules and phishing -attack
- WordPress -Webot Capsrates Quiet Users through Invisible DNS commands and shared JavaScript Payload
Recent studies have revealed a troubled alliance between WordPress hackers and commercial Adtech companies, creating a huge infrastructure for distributing malware worldwide.
Research from InfoBlox threat that Intel found at the core of this operation is Vextrio, a traffic distribution system (TDS) that is responsible for redirecting web users through layers of false ads, misleading redirections and false push messages.
The report claims that several commercial companies, including Los Pollos, Partners House and Richads, have been tangled in this network, which serves as both intermediaries and activations.
Los Pollos -connection and a failed shutdown
InfoBlox originally tied Los Pollos to Vextrio when the former was implicated in Russian disinformation campaigns.
In response, Los Pollos claimed it would finish its “push link -moneization” model.
Despite this, the underlying malicious activity continued as attackers switched to a new TDS known as help, which was eventually linked to Vextrio.
WordPress vulnerability served as the entrance point for multiple malware campaigns as attackers compromised thousands of sites and embedded malicious redirects. These scripts depended on DNS TXT records as a command and control mechanism that determines where to send web visitors.
Analysis of over 4.5 million DNS response between August and December 2024 revealed that although different malware tribes seemed separate, they shared infrastructure, hosting and behavior patterns, all of which led to Vextrio or its proxies, including help TDS and disposable TDS.
JavaScript across these platforms exhibited the same features, deactivated browser navigation controls, forces redirections and lures users with fake competitions.
Interestingly, these TDSs are embedded in commercial Adtech platforms that present themselves as legitimate associated networks.
“These companies maintained exclusive relationships with ‘publishers affiliated companies’ in this context, hackers and knew their identities,” researchers noted.
Push messages have emerged as a particularly potent pantyhed. Users are tricked into turning on browser messages by using fake CAPTCHA Prompts.
Hackers then send phishing or malware links after a user subscribes, avoids firewall settings and even the best antivirus programs.
Some campaigns direct these messages through reliable services such as Google Firebase, making detection significantly more difficult.
The overlap between Adtech platforms, including BroPush, Richads and Partners House, complicates further attribution.
Incorrectly configured DNS systems and recycled scripts suggest a common backend, possibly even a shared development environment.
To tackle the risk, users should avoid turning on suspicious browser alerts, using tools that offer zero-savvy network access (ZTNA) and be careful when using CAPTCHA-PROMP.
By updating WordPress and monitoring for DNS anomalies, place administrators can reduce the likelihood of compromise.
However, Adtech companies may have the actual handle and the key to closing these operations if they choose to shop.
