Vexing and Vicious: The Eerie Relationship between WordPress Hackers and an Adtech Cabal

This report details an investigation into VexTrio — a long-running malicious Traffic Distribution System (TDS) and affiliated adtech networks (e.g., Los Pollos, Taco Loco, Monetizer/Help/Disposable, Partners House, BroPush, RichAds) — that route victims from compromised WordPress sites (including DNS TXT-based C2 campaigns) into scams, fake CAPTCHAs, push-notification fraud, and malware distribution. Using analysis of 4.5 million DNS TXT responses and historical scans, the authors expose two coordinated C2 clusters, shared code and rare lure artifacts linking multiple TDSs, DNS and hosting ties, affiliate identifiers, and provide sample IOCs and parameters to aid detection and disruption.