When Kehr meets VexTrio – Qurium Media Foundation

13 November 2024

Qurium recently published detailed findings on the technical infrastructure behind the largest online Russian disinformation campaign seen since the war broke out – Doppelganger. Qurium’s report “How Russia uses EU companies for propaganda“, released in July 2024, shows how large part of the infrastructure was operating from European countries, which resulted in massive changes of the infrastructure setup as both bulletproof hosting providers and upstream connectivity providers choose to distance themselves from Doppelganger.

This investigation focuses on an open question about the front-end proxies used by Doppelganger. Our theory was that there must be a hidden set of backend servers for the front domains.

Qurium can now with conclusive evince reveal that a hidden Cloaking service, making it possible for everything from Russian disinformation to Bitcoin scams to bypass both automatic and manual moderation of content in Facebook, is used by Doppelganger.

The service, formerly known as “Redirect.pro”, is provided by Kehr.io, an actor known for providing redirection services for all sorts of online frauds. The investigation of the origin of the Kehr service was done jointly with the German investigative media Correktiv.

Qurium’s investigation also links Doppelganger with VexTrio, a sophisticated cyber criminal operation active since 2017, that functions as a Traffic Distribution System (TDS) to distribute malicious content through a vast network of more than 70,000 compromised websites.

The investigation further concludes that Doppelganger is using the very same technical infrastructure as other online scams, from crypto currency investment frauds to online dating cons. Hence, to stop the flow of Russian disinformation from Doppelganger there is a need to address the infrastructure available for general purpose online fraud.

Qurium’s forensic report: When Kehr meets VexTrio: Cloaking for disinformation and online scams

Corrective’s investigation: Recherchen legen russische Propaganda-Kampagne lahm (En: Research paralyzes Russian propaganda campaign)

Contacts
Digital forensics: Tord Lundström <t at virtualroad.org> Technical Director
Media: Clara Zid <info at virtualroad.org> Media and Outreach Manager

Cookie	Duration	Description
adsight	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight1	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight2	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight3	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight4	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
adsight5	60 days	This cookie is used for efficient content delivery and DDoS mitigation.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checbox-functional	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
viewed_cookie_policy	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.