Late last year, security researchers made a startling discovery: Kremlin-backed disinformation campaigns were bypassing moderation on social media platforms by leveraging the same malicious advertising technology that powers a sprawling ecosystem of online hucksters and website hackers. A new report on the fallout from that investigation finds this dark ad tech industry is far more resilient and incestuous than previously known.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/06\/maladtech.png?resize=750%2C422&ssl=1\")
<\/p>\nImage: Infoblox.<\/p>\n<\/div>\n
In November 2024, researchers at the security firm Qurium<\/strong> published an investigation into \u201cDoppelganger<\/a>,\u201d a disinformation network that promotes pro-Russian narratives and infiltrates Europe\u2019s media landscape by pushing fake news through a network of cloned websites.<\/p>\n Doppelganger campaigns use specialized links that bounce the visitor\u2019s browser through a long series of domains before the fake news content is served. Qurium found<\/a> Doppelganger relies on a sophisticated \u201cdomain cloaking\u201d service, a technology that allows websites to present different content to search engines compared to what regular visitors see. The use of cloaking services helps the disinformation sites remain online longer than they otherwise would, while ensuring that only the targeted audience gets to view the intended content.<\/p>\n Qurium discovered that Doppelganger\u2019s cloaking service also promoted online dating sites, and shared much of the same infrastructure with VexTrio<\/strong>, which is thought to be the oldest malicious traffic distribution system (TDS) in existence. While TDSs are commonly used by legitimate advertising networks to manage traffic from disparate sources and to track who or what is behind each click, VexTrio\u2019s TDS largely manages web traffic from victims of phishing, malware, and social engineering scams.<\/p>\n Digging deeper, Qurium noticed Doppelganger\u2019s cloaking service used an Internet provider in Switzerland as the first entry point in a chain of domain redirections. They also noticed the same infrastructure hosted a pair of co-branded affiliate marketing services that were driving traffic to sketchy adult dating sites: LosPollos[.]com<\/strong> and TacoLoco[.]co<\/strong>.<\/p>\n The LosPollos ad network incorporates many elements and references from the hit series \u201cBreaking Bad,\u201d mirroring the fictional \u201cLos Pollos Hermanos\u201d restaurant chain that served as a money laundering operation for a violent methamphetamine cartel.<\/p>\n The LosPollos advertising network invokes characters and themes from the hit show Breaking Bad. The logo for LosPollos (upper left) is the image of Gustavo Fring, the fictional chicken restaurant chain owner in the show.<\/p>\n<\/div>\n Affiliates who sign up with LosPollos are given JavaScript-heavy \u201csmartlinks<\/strong>\u201d that drive traffic into the VexTrio TDS, which in turn distributes the traffic among a variety of advertising partners, including dating services, sweepstakes offers, bait-and-switch mobile apps, financial scams and malware download sites.<\/p>\n LosPollos affiliates typically stitch these smart links into WordPress<\/strong> websites that have been hacked via known vulnerabilities, and those affiliates will earn a small commission each time an Internet user referred by any of their hacked sites falls for one of these lures.<\/p>\n The Los Pollos advertising network promoting itself on LinkedIn.<\/p>\n<\/div>\n According to Qurium, TacoLoco is a traffic monetization network that uses deceptive tactics to trick Internet users into enabling \u201cpush notifications,\u201d a cross-platform browser standard<\/a> that allows websites to show pop-up messages which appear outside of the browser. For example, on Microsoft Windows systems these notifications typically show up in the bottom right corner of the screen \u2014 just above the system clock.<\/p>\n In the case of VexTrio and TacoLoco, the notification approval requests themselves are deceptive \u2014 disguised as \u201cCAPTCHA\u201d challenges designed to distinguish automated bot traffic from real visitors. For years, VexTrio and its partners have successfully tricked countless users into enabling these site notifications, which are then used to continuously pepper the victim\u2019s device with a variety of phony virus alerts and misleading pop-up messages.<\/p>\n Examples of VexTrio landing pages that lead users to accept push notifications on their device.<\/p>\n<\/div>\n According to a December 2024 annual report<\/a> from GoDaddy<\/strong>, nearly 40 percent of compromised websites in 2024 redirected visitors to VexTrio via LosPollos smartlinks<\/em>.<\/span><\/p>\n On November 14, 2024, Qurium published research<\/a> to support its findings that LosPollos and TacoLoco were services operated by Adspro Group<\/strong>, a company registered in the Czech Republic and Russia, and that Adspro runs its infrastructure at the Swiss hosting providers C41<\/strong> and Teknology SA<\/strong>.<\/p>\n Qurium noted the LosPollos and TacoLoco sites state that their content is copyrighted by ByteCore AG<\/strong> and SkyForge Digital AG<\/strong>, both Swiss firms that are run by the owner of Teknology SA, Guilio Vitorrio Leonardo Cerutti<\/strong>. Further investigation revealed LosPollos and TacoLoco were apps developed by a company called Holacode<\/strong>, which lists Cerutti as its CEO.<\/p>\n The apps marketed by Holacode include numerous VPN services, as well as one called Spamshield<\/strong> that claims to stop unwanted push notifications. But in January, Infoblox said they tested the app on their own mobile devices, and found it hides the user\u2019s notifications, and then after 24 hours stops hiding them and demands payment. Spamshield subsequently changed its developer name from Holacode to ApLabz<\/strong>, although Infoblox noted that the Terms of Service for several of the rebranded ApLabz apps still referenced Holacode in their terms of service.<\/p>\n Incredibly, Cerutti threatened to sue me for defamation before I\u2019d even uttered his name or sent him a request for comment (Cerutti sent the unsolicited legal threat back in January after his company and my name were merely tagged in an Infoblox post on LinkedIn about VexTrio).<\/p>\n Asked to comment on the findings by Qurium and Infoblox, Cerutti vehemently denied being associated with VexTrio. Cerutti asserted that his companies all strictly adhere to the regulations of the countries in which they operate, and that they have been completely transparent about all of their operations.<\/p>\n \u201cWe are a group operating in the advertising and marketing space, with an affiliate network program,\u201d Cerutti responded. \u201cI am not [going] to say we are perfect, but I strongly declare we have no connection with VexTrio at all.\u201d<\/p>\n \u201cUnfortunately, as a big player in this space we also get to deal with plenty of publisher fraud, sketchy traffic, fake clicks, bots, hacked, listed and resold publisher accounts, etc, etc.,\u201d Cerutti continued. \u201cWe bleed lots of money to such malpractices and conduct regular internal screenings and audits in a constant battle to remove bad traffic sources. It is also a highly competitive space, where some upstarts will often play dirty against more established mainstream players like us.\u201d<\/p>\n Working with Qurium, researchers at the security firm Infoblox<\/strong> released details about VexTrio\u2019s infrastructure to their industry partners. Just four days after Qurium published its findings, LosPollos announced it was suspending its push monetization service. Less than a month later, Adspro had rebranded to Aimed Global<\/strong>.<\/p>\n A mind map illustrating some of the key findings and connections in the Infoblox and Qurium investigations. Click to enlarge.<\/p>\n<\/div>\n In March 2025, researchers at GoDaddy chronicled<\/a> how DollyWay<\/strong> \u2014 a malware strain that has consistently redirected victims to VexTrio throughout its eight years of activity \u2014 suddenly stopped doing that on November 20, 2024. Virtually overnight, DollyWay and several other malware families that had previously used VexTrio began pushing their traffic through another TDS called Help TDS<\/strong>.<\/p>\n Digging further into historical DNS records and the unique code scripts used by the Help TDS, Infoblox determined it has long enjoyed an exclusive relationship with VexTrio (at least until LosPollos ended its push monetization service in November).<\/p>\n In a report released today<\/a>, Infoblox said an exhaustive analysis of the JavaScript code, website lures, smartlinks and DNS patterns used by VexTrio and Help TDS linked them with at least four other TDS operators (not counting TacoLoco). Those four entities \u2014 Partners House<\/strong>, BroPush<\/strong>, RichAds<\/strong> and RexPush<\/strong> \u2014 are all Russia-based push monetization programs that pay affiliates to drive signups for a variety of schemes, but mostly online dating services.<\/p>\n \u201cAs Los Pollos push monetization ended, we\u2019ve seen an increase in fake CAPTCHAs that drive user acceptance of push notifications, particularly from Partners House,\u201d the Infoblox report reads. \u201cThe relationship of these commercial entities remains a mystery; while they are certainly long-time partners redirecting traffic to one another, and they all have a Russian nexus, there is no overt common ownership.\u201d<\/p>\n Renee Burton<\/strong>, vice president of threat intelligence at Infoblox, said the security industry generally treats the deceptive methods used by VexTrio and other malicious TDSs as a kind of legally grey area that is mostly associated with less dangerous security threats, such as adware and scareware.<\/p>\n But Burton argues that this view is myopic, and helps perpetuate a dark adtech industry that also pushes plenty of straight-up malware, noting that hundreds of thousands of compromised websites around the world every year redirect victims to the tangled web of VexTrio and VexTrio-affiliate TDSs.<\/p>\n \u201cThese TDSs are a nefarious threat, because they\u2019re the ones you can connect to the delivery of things like information stealers and scams that cost consumers billions of dollars a year,\u201d Burton said. \u201cFrom a larger strategic perspective, my takeaway is that Russian organized crime has control of malicious adtech, and these are just some of the many groups involved.\u201d<\/p>\nBREAKING BAD<\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/06\/lospollos_mainpage.png?resize=749%2C497&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/06\/lospollos_subdomain_linkedIn_announcement.png?resize=745%2C321&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/06\/maliciouspushcaptcha.png?resize=749%2C643&ssl=1\")
<\/p>\nADSPRO AND TEKNOLOGY<\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/06\/lospollos-mmap.png?resize=749%2C455&ssl=1\")
<\/a><\/p>\nA REVEALING PIVOT<\/h2>\n
WHAT CAN YOU DO?<\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/06\/firefox-notifications.png?resize=750%2C542&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/06\/chromenotifications.png?resize=750%2C500&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/06\/safarinotifications.png?resize=749%2C499&ssl=1\")
<\/p>\n<\/div>\n