Vexing and Vicious: The Eerie Relationship between WordPress Hackers and an Adtech Cabal

This intelligence report details the operations of VexTrio and related malicious Traffic Distribution Systems (TDSs) that have funneled visitors from hundreds of thousands of compromised WordPress sites into scams, push-notification fraud, and malware from at least 2017 through May 2025; it maps DNS TXT-based C2 clusters, shows coordinated migration to a Help/Disposable TDS after Los Pollos halted push monetization, reveals shared code/images/PowerDNS artifacts across multiple commercial adtech operators (Los Pollos, Monetizer, Partners House, BroPush, RichAds, etc.), and provides affiliate parameters, TDS domains, and behavioral indicators for detection and disruption.