At the end of the previous year, security researchers made a shocking discovery: Kremlin-supported disintegration campaign was bypassing the moderation by taking advantage of the same malicious advertising technology on social media platforms that strengthens a huge ecosystem of online rights and website hackers. The investigation offers a new report on the fallout that this dark advertising technology industry is far more flexible and incest than already known.
Picture: Infoblox
In November 2024, Researchers of Security Firm Curium “Published an investigation in”Carbon copy“A disintegration network that promotes Russian-supportive stories and infiltrates Europe’s media landscape by extending fake news through a network of clone websites.
Dopelganger campaign uses special links that bounce the browser of the visitor through a long range of domains before fake news materials are served. Curium found Doppelganger depends on a sophisticated “domain clooking” service, a technique that allows websites to present different content to the search engines compared to visitors. The use of clooking services helps the disintegration sites to last longer otherwise they otherwise ensure that only targeted audiences get to see the intended content.
Curium found that Dopelganger’s Cloaking Service also promoted online dating sites, and shared a lot with the same infrastructure VascriyoWhich is considered the oldest malicious traffic distribution system (TDS) in existence. While TDS is commonly used by the valid advertising network to manage traffic from uneven sources and who or what is behind each click, the TDS of the Vastaro is largely managed by web traffic from victims of fishing, malware and social engineering scams.
Breaking bed
Digging deeply, Kuriam noted the cloaking service of Dopelganger, using an internet provider in Switzerland, the first entry point in a range of domain redirects. He also noticed that the same infrastructure hosted a pair of co-branded affiliated marketing services that were running traffic on adult dating sites: Lospolos (.) Com And Tacoloco (.) Cum,
The Lospolos advertising network contains several elements and references from the hit HBO series “Breaking Bad”, which reflects the fictional “Los Poos Harmanos” restaurant series, which serves as a money laundering operation for a violent famefetamine cartel.
The Lospolos advertising network invites characters and subjects from the network hit show braking beds. The logo show for Lospollos (upper left) has the image of Gustavo Fing, the owner of the fictional chicken restaurant series.
A colleagues who sign up with Lospolos are given JavaScript-Division “Smartlink“It drives traffic in vextrio TDS, which in turn distributes traffic among various types of advertising partners, including dating services, sweepstake offers, bat-end-switch mobile apps, financial scams and malware download sites.
Lospollos colleagues usually stitch these smart links Of WordPress The websites that have been hacked through the known weaknesses, and the colleagues will earn a small commission every time, an internet user referred to by any of their hacked sites falls for one of them.
The LOS Polos advertisement promotes itself on the network LinkedIn.
According to Curium, Tacoloco is a traffic migration network that uses misleading strategy to trick Internet users to “push notifications,” Cross-platform browser standard This allows websites to show pop-up messages that appear outside the browser. For example, these notifications on Microsoft Windows Systems usually appear in the lower right corner of the screen – just above the system clock.
In the case of vextrio and tacoloco, notification approval requests are themselves misleading – the “captcha” challenges designed to separate automatic bot traffic from real visitors are disguised as challenges. For years, vextrio and its partners have successfully betrayed countless users in enabling these site information, which then the victim’s device is used for continuous pepper with various types of franiest virus alerts and misleading pop-up messages.
Examples of vextrio landing pages that motivate users to accept push notifications on their devices.
As Annual report of December 2024 From go Daddy, In 2024, about 40 percent of compromise websites redirected visitors to Vextrio via Loslaos Smartlink,
Outbreak and technology
On November 14, 2024, Curium Published research To support its findings that there were services operated by Lospolos and Tacoloco AIDSPRO GroupA company registered in Czech Republic and Russia, and that Adspro runs its infrastructure among Swiss hosting providers C41 And Technology SA,
Curum noted Lospolos and Tacoloco sites that their content is made by copyright Bitter AG And Skyfores Digital AGBoth Swiss firms that run by the owner of Technology SA, Guilio Vitorio Leonardo SeruttyFurther investigation revealed HolcodeWhich lists serutty as its CEO.
The app marketed by Holacode includes several VPN services, as well as a single one. Spamasild This claims to stop unwanted push notifications. But in January, Infoblox stated that they tested the app on their own mobile devices, and found that it hides the user information, and then stops hiding them after 24 hours and demands payment. Spamsild later replaced his developer name with Holcode ApplabzAlthough Infoblox mentioned that the terms of service for many of the ribranded APlabz apps still refer to Holacode in the terms of their service.
Incredibly, Serutty threatened me to prosecute for defamation, before I also called her name or sent a request to comment (Serutty sent back the unwanted legal threat after her company in January and my name was tagged in an infoblox post on LinkedIn only about Vactrio).
Qurium and Infoblox asked to comment on conclusions, Cerutti denied being associated with Vextrio. Serutty stated that their companies strictly follow the rules of all countries in which they work, and they are completely transparent about all their functions.
“We are a group working in advertising and marketing space with an affiliated network program,” Serutty responded. “I am not to say that we are right, but I firmly declare that we have no relation with Vastarri.”
“Unfortunately, as a big player in this space, we also get to deal with a lot of publishers fraud, sketch traffic, fake click, bots, hacked, listed and resale publisher accounts, etc.,” Serutty continued. “We sheds a lot of money for such miscreants and conducted regular internal screening and audit in a continuous battle to remove poor traffic sources. It is also a highly competitive place, where some upstarts will often play dirty against the more installed mainstream players like us.”
Working with Curium, researcher in security firm Infoblox The infrastructure of Vextrio was released to his industry partners. Curium, exactly four days after publishing his findings, Lospolos announced that he was suspending his push monetization service. After less than a month after a month, AdSPRO was re -prepared Objective global,
A mind map, depicting some major findings and connections in Infoblox and Qurium probes. Click to expand.
A revelation axis
In March 2025, researcher at Godadi Script How Doliway – A malware strain that has resulted in continuous victims to the Waxtrio during its eight years of activity – suddenly stopped doing so on November 20, 2024. Almost overnight, Dolwee and many other malware families used waxtri Help TD,
The unique code script used by further excavations and support TDS in historical DNS records, Infoblox determined that it has long enjoyed a special relationship with vextrio (at least until Lospollos ended its push montization service in November).
In A report released todayInfoblox said that a complete analysis of JavaScript codes, websites lures, smartlinks and DNS patterns is used by vextrio and TDS helped them connect them with at least four other TDS operators (not counting Tacoloco). Those four institutions – Partners House, Bropush, Richds And Rexpash -All Russia-based push monitization programs that pay colleagues to run signs for a variety of schemes, but mostly online dating services.
The INFOBLOX report states, “As the Los Polos Push Monetization has ended, we have seen an increase in fake captures, especially the user acceptance of push notifications from Parters House.” “The relationship of these commercial institutions remains a mystery; while they are certainly long partners who are redirecting each other, and all of them have a Russian connivance, no common ownership.”
Renee BurtonDanger in Infoblox, the vice -president of the intelligence, said that the security industry usually treats misleading methods used by vextrio and other malicious TDSS, which is a kind of legally legitimate gray field that is mostly associated with less dangerous security threats, such as Adwaare and Skareware.
But Burton argues that the scene is mopic, and helps to eliminate a dark edtech industry, which directly pushes the malware, given that every year hundreds of thousands of compromise websites around the world resolve the victims on the complicated web of the compatrious and waxtrio-consecration TDS.
Burton said, “This TDS is a nefarious threat, as you can connect with the distribution of things such as information and scams, which cost consumers a cost of billions of dollars per year.” “From a large strategic perspective, my tech is that the Russian organized crime has malicious Edtech control, and these are only included in a few groups.”
What can you do?
As krebsonsecurity warned of returning to 2020, it is a good idea to make a great idea in approving information when browsing the web. In many cases these notifications are benign, but as we have seen there are many doddy firms that are paid to the owners of the site to set their information scripts, and then resurrected that communication route to scammers and online hawstors.
If you want to prevent sites from presenting notification requests at any time, then all major browser manufacturers let you do this-e or on a per-walbeit basis. Although it is true that completely blocking notifications can break the functionality of some websites, for any device that you manage to your low technology-loving friends or family members, they can save everyone under the road.
To modify site notification settings in Mozila firefoxSettings, privacy and security, navigate on permissions, and click on the “Settings” tab next to the “information”. That page will display any pre -existing information and allow you to edit or remove any entries. “Block the” information to block the information “to stop the new requests completely”.
In Google chromeClick on the icon with three dots on the right side of the address bar, scroll all the way for settings, privacy and security, site settings and information. If you want to remove notification requests forever, select “Do not allow notifications” button.
In apple Safari Go to browser, settings, websites, and click on information in the sidebar. If you want to close the notification requests completely, uncheck the option to “allow the websites permission to send notifications”.
