VexTrio Viper Adds a New DNS TDS Domain

Infoblox Threat Intel observed a VexTrio Viper DNS-based TDS using the domain airlogs.net (registered 2024-04-23) to serve base64-encoded TXT responses that direct visitors to malicious payload hosts; the actor shifted to server-side DNS checks and hid queries in a compromised WordPress plugin, complicating detection. Query volume spiked shortly after registration and name servers pointed to Russian IPs previously associated with VexTrio, underscoring active use and the need for DNS-layer defenses.