Recent research from Infoblox Threat Intel has uncovered extensive links between seemingly legitimate AdTech companies—specifically Los Pollos, Partners House, BroPush, and RichAds—and cybercriminal operations, particularly those distributing malware and running large-scale scam campaigns through compromised websites.
Key Findings from Infoblox Research
Infoblox’s investigation revealed that these AdTech firms are deeply intertwined with criminal traffic distribution systems (TDS) like VexTrio. These systems act as digital traffic controllers, redirecting users from hacked websites to malicious destinations, often via deceptive tactics such as fake CAPTCHAs and push notification scams. Technical analysis found that Los Pollos, Partners House, BroPush, and RichAds share infrastructure quirks, software, and even lure images (such as identically named PNG files) with known criminal TDSs. This includes the use of PowerDNS installations, custom URL parameters, and rare JavaScript designed to trap users on scam pages.
According to Infoblox, these firms operate large public affiliate networks specializing in push advertising. Website hackers—termed “publishing affiliates”—redirect traffic from compromised sites into these networks, earning commissions based on user interactions with weaponized ads, infostealers, and browser-hijacking notifications.
Infoblox noted that when VexTrio’s infrastructure was disrupted, malware actors seamlessly migrated to alternative but interconnected TDSs, demonstrating the agility and coordination of this ecosystem. The relationships between these AdTech companies are believed to be long-standing, and while they forward traffic to one another and share Russian infrastructure, no overt common ownership has been established.
The campaigns have exploited thousands of legitimate WordPress and other CMS sites, redirecting millions of users to scams, malware, and fraudulent push notifications. For example, nearly 40% of compromised websites in 2024 redirected visitors to VexTrio via Los Pollos smartlinks.
Notable Companies Identified
• Los Pollos: Swiss-Czech AdTech company, previously pivotal in VexTrio operations. After scrutiny, it ceased push monetization, causing malware traffic to shift to other TDSs.
• Partners House, BroPush, RichAds: Russian-linked push monetization programs, operating similarly and often redirecting traffic among themselves. They are longstanding partners in these operations but do not appear to share common ownership.
How the scheme works:
| 1 | Hackers compromise websites (often WordPress) and inject “smartlinks” provided by AdTech firms. |
| 2 | Visitors to these sites are redirected through a TDS (like VexTrio), often encountering fake CAPTCHAs or deceptive notifications. |
| 3 | Users who interact are led to scam sites, malware downloads, or are subscribed to persistent push notifications. |
| 4 | AdTech affiliates and the firms themselves profit from user engagement and monetization of this malicious traffic. |
