VexTrio Viper
VexTrio Viper is a cybercriminal threat actor centered on malicious advertising technology and traffic distribution system (TDS) operations. The content describes it as operating a large TDS infrastructure since early 2020 and running one of the most extensive known cybercriminal affiliate programs, with reporting citing over 65 affiliates in one source and over 165 affiliates in another. Reported affiliates or associated partners include GoRefresh, SocGholish, and ClearFake. Los Pollos is described as a malicious advertising technology company operating under the VexTrio Viper umbrella. The actor has been observed using compromised and hijacked domains to route traffic through its TDS, including domains taken over via the Sitting Ducks DNS hijacking technique. Reporting states VexTrio Viper first hijacked a domain using Sitting Ducks in early 2020 and has hijacked domains across multiple DNS services. Its stolen or compromised domains are used for redirection, scam delivery, and broader malicious infrastructure operations. Observed tactics and techniques in the provided content include multi-stage redirect chains, device and geolocation profiling, fake robot CAPTCHA lures, abuse of browser push-notification permissions, and use of compromised websites with minimal injected code to funnel victims into TDS workflows. The content links VexTrio Viper to push-notification abuse that can generate high-volume deceptive alerts and route users to fake giveaways, fake dating sites, fake surveys, fake crypto-mining sites, fake apps or adware, malware delivery, disinformation, and antivirus scareware flows. Example redirect chains involve multiple intermediary domains before final destinations, and the actor’s infrastructure is described as tailoring payloads based on device and location. The content also states that VexTrio Viper has developed malicious applications that were published on Apple and Google official app storefronts while posing as useful apps. VexTrio Viper is not described in the provided content as a nation-state actor. The reporting instead characterizes it as a financially motivated cybercriminal ecosystem focused on adtech abuse, traffic monetization, scam enablement, and affiliate-driven malicious redirection.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
2 malware families attributed to this actor across reporting.
Observables
2 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Umbrella ecosystem associated with malicious advertising/traffic distribution operations; includes Los Pollos as a component entity referenced in the content.
Developed and published fake mobile apps masquerading as VPNs, monitoring tools, RAM cleaners, dating services, and spam blockers in official app stores to conduct ad fraud, subscription scams, and personal data collection.
Referenced as another threat actor that adopts registered domain generation algorithm (RDGA) techniques for domain provisioning; no additional campaign details provided in the content.
Operates a traffic distribution system (TDS) that leverages compromised websites and deceptive push-notification prompts (including fake CAPTCHA/robot lures) to funnel victims through multi-step redirect chains into scams (notably scareware/antivirus fraud), fake apps/adware, disinformation, and occasional malware delivery—monetized via affiliate/advertising ecosystems.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.