DUBAI, UAE, 17TH SEPTEMBER 2025: Infoblox Threat Intel has released groundbreaking reporting on “Vane Viper,” a threat actor masquerading as a legitimate adtech enterprise. This group is responsible for facilitating a variety of scams and malware distribution through their affiliate advertising programs but also are directly involved in malware distribution.
Infoblox Threat Intel has been tracking Vane Viper, originally reported as Omnatuor, for over three years. This actor has been a top priority for Infoblox research due to its pervasive presence in customer networks: Vane Viper malvertising domains are seen in around 50% of customer networks. Vane Viper’s reach is global: several of their domains are in the top 10k globally, according to Tranco, with one tracking domain reaching the top 1k.
Infoblox Threat Intel discovered that Vane Viper is AdTech Holding, the parent company of the infamous PropellerAds. The adtech enterprise benefits from compromised websites and deceptive ads launched by publishing affiliates to distribute malware and digital fraud campaigns. While the security industry has long questioned the integrity of PropellerAds, this report brings concrete evidence of malfeasance by the company.
Analyzing years of DNS detections and actively engaging Vane Viper through links that led to their traffic distribution system (TDS) showed that they are not an abused provider, but a complicit enabler and active participant in malicious activities. Not only did PropellerAds send users to harmful content hosted by their affiliates, but PropellerAds directly delivered malware to Infoblox researchers on multiple occasions. This led to the discovery of an ecosystem with a history of hosting advertising fraud schemes.
Vane Viper is like VexTrio Viper, commonly referred to as VexTrio, which was the subject of in-depth reporting by Infoblox launched at BlackHat USA in August 2025. Like VexTrio, Vane Viper is comprised of several companies within the advertising industry, dominated by Russian speakers, that present themselves as separate entities but are all held by a single group. Vane Viper and VexTrio are part of a cohort that emerged almost simultaneously in 2015 in Eastern Europe and Russian diaspora centers, such as Cyprus. VexTrio and Vane Viper advertise their partnerships with one another, but they appear to be independent groups.
“Our research has increasingly found that cybercriminals aren’t just exploiting adtech platforms, sometimes, they are the adtech platforms,” said Dr. Renée Burton, VP of Threat Intel at Infoblox. “In the past we thought of the digital underworld as operating in the shadowy corners of the internet, but we have found that many bad actors instead hide in plain sight, establishing ‘plausible deniability’ by creating a series of commercial operations. Vane Viper is one of several
large-scale TDS operators we are tracking, all of which seem to have emerged in 2015 and controlled by Russian diaspora in Europe and Cyprus.”
Key Findings
· Vane Viper is seen in about half of Infoblox customer networks, generating over 1 trillion DNS queries in the past year.
· The actor operates through PropellerAds and other subsidiaries of AdTech Holding, using compromised websites and deceptive ads to distribute malware, phishing and ad fraud campaigns. This is just one of many companies in their enterprise.
· Corporate shell games and opaque ownership structures enable plausible deniability, shielding Vane Viper from accountability.
· Infrastructure overlaps with Webzilla/XBT Holdings, previously linked to Methbot ad fraud, Russian disinformation campaigns and piracy platforms.
· Vane Viper uses push notification abuse, traffic distribution systems (TDSs) and cloaking techniques to evade detection and maintain persistence.
· The network includes 60,000+ domains, many active for only days, with some persisting for over 1,200 days.
· Connections to Russian oligarchs, convicted fraudsters and adult content platforms further underscore the risk and scale of the operation.
The report highlights how malicious actors are leveraging the adtech industry to prey on users across the web. On the promise of reach for advertisers, platforms including AdTech Holding instead deliver unprecedented risk. The digital advertising ecosystem was not created to be accountable to users, but rather to be fast and profitable. Vane Viper demonstrates that the unbridled growth of this industry is corroding the digital safety of users on a global scale, all in the name of monetization.
Read the full blog here: https://blogs.infoblox.com/threat-intelligence/deniability-by-design-dns-driven-insights-into-a-malicious-ad-network/
-Ends-
About Infoblox
Infoblox unites networking, security and cloud with a protective DDI platform that delivers enterprise resilience and agility. Trusted by 13,000+ customers, including the majority of Fortune 100 companies as well as emerging innovators, we seamlessly integrate, secure and automate critical network services so businesses can move fast without compromise. Visit infoblox.com
