Inside the Robot: Deconstructing VexTrio’s Affiliate Advertising Platform

This report exposes VexTrio as a global malicious adtech enterprise that operates resilient TDS infrastructure, self-hosted trackers (e.g., Binom), cloakers (IM KLO), and CDN resources to deliver large-scale scam and malware campaigns (push-notification scareware, dating and antivirus scams). It maps domains, IP ranges, hosting providers, DevOps components, and choke points (popular CDN domains) and demonstrates active abuse with concrete evidence from passive DNS, BGP, and a tracked push-notification redirect that led to a Binom server and scareware landing page.