Inside the Robot: Deconstructing VexTrio’s Affiliate Advertising Platform

This investigative report outlines VexTrio’s large-scale malicious adtech operation: a resilient TDS and CDN-backed infrastructure used to run global spam, scareware and dating/antivirus scam campaigns. The researchers map DevOps tooling, hosting ASNs and IP ranges, self-hosted trackers (notably Binom), dedicated cloakers (IM KLO), and identify key CDN domains and landing pages; they demonstrate active abuse via a push-notification chain that routed victims through RollerAds and Binom to scareware. The report highlights kill-switch dependencies (popular image/CDN domains), the organization’s use of automation and cloud providers, and provides domain/IP artefacts to support mitigation and further analysis.