- Push notifications are now being used as malware delivery systems, and users subscribe without knowing them
- The false indications of Captcha are now the entrance door to the persistent kidnappings of the browser and Phishing attacks
- WordPress sites are silently kidnaping users through invisible DNS commands and shared javascript charges
Recent research has revealed a worrying alliance between WordPress computer pirates and Adtech’s commercial companies, creating a vast infrastructure to distribute malware on a global scale.
The Intel Infoblox threat research found in the center of this operation is Vextrio, a traffic distribution system (TDS) responsible for redirecting web users through false ads layers, deceptive redirects and fraudulent push notifications.
The report states that several commercial companies, including chickens, partners House and Richads, are tightened in this network, serving as intermediaries and enabling.
Connection of chickens and a failed closure
Informlox initially linked the chickens to Vextrio when the former was involved in Russian misinformation campaigns.
In response, the chickens said it would end their “Push” monetization model.
Despite this, the underlying malicious activity continued as the attackers moved to a new TDS known as help, which was finally linked to Vextrio.
WordPress vulnerabilities served as a point of entry for multiple malware campaigns, since the attackers committed thousands of websites, embeding the malicious redirection scripts. These scripts were based on DNS TXT records as a command and control mechanism, determining where to send web visitors.
The analysis of more than 4.5 million DNS responses between August and December 2024 revealed that although several malware strains seemed separated, they shared the infrastructure, accommodation and behavior patterns that led to Vextrio or its representatives, including Help and Disposable TDS.
JavaScript on these platforms exhibited the same functions, disabled navigation controls of the browser, forcing redirects and attracting users with a false raffle.
Interestingly, these TDS are integrated into the Adtech commercial platforms that are presented as legitimate affiliate networks.
“These companies maintained exclusive relationships with ‘affiliates of editors’, in this context, the computer pirates, and knew their identities,” said the researchers.
Push notifications have emerged as a particularly powerful threat vector. Users are deceived to light browser notifications through the use of false captcha indications.
Computer pirates then send phishing or malware links after a user subscribes, evading the firewall configuration and even the best antivirus programs.
Some campaigns surround these messages through reliable services such as Google Firebase, which makes detection significantly.
The overlap between the ADTECH platforms, including Bropush, Richads and Partners House, further complicates the attribution.
Badly configured DNS systems and reused scripts suggest a common backend, possibly even a shared development environment.
To address the risk, users should avoid activating suspicious alerts of the browser, use tools that offer access to the zero trust network (ZTNA) and be cautious when using the captcha indications.
When updating WordPress and the monitoring of DNS anomalies, site administrators can reduce the probability of commitment.
However, Adtech companies could have the real lever and the key to close these operations if they choose to act.
