Unveiling Vane Viper: The AdTech Threat Actor
Introduction to Vane Viper
Infoblox Threat Intel has recently shed light on a significant cybersecurity issue involving the threat actor known as Vane Viper. This group presents itself as a legitimate player in the advertising technology (adtech) sector, but underneath, it’s engaged in a myriad of scams and malware distribution through affiliate advertising networks. Their activities have raised alarms in the security industry, demonstrating the intricate connections between adtech and cybercrime.
A Deep Dive into Vane Viper’s Operations
For over three years, Infoblox has monitored Vane Viper, initially identified as Omnatuor. This actor stands out due to its widespread impact; reports indicate that nearly 50% of Infoblox’s client networks have encountered malvertising domains linked to Vane Viper. The reach of their operations is extensive, with several of their domains ranking in the global top 10,000—one even penetrating the top 1,000, according to Tranco.
The Link to AdTech Holding
Upon investigation, Infoblox revealed that Vane Viper operates under the umbrella of AdTech Holding, the parent organization of PropellerAds. This relationship allows them to exploit compromised websites and misleading advertisements to facilitate the distribution of malware and orchestrate digital fraud campaigns. While suspicions surrounding PropellerAds have been longstanding, this recent report provides concrete backing for claims of wrongdoing.
Direct Involvement in Malicious Activities
Through an analysis of DNS detections and engagement with Vane Viper’s traffic distribution system (TDS), it became evident that the group is not merely an unknowing victim within the adtech framework. Instead, they are active participants in illicit activities. PropellerAds has allegedly directed users towards malicious content hosted by its affiliates, and on multiple occasions, researchers from Infoblox were met with malware directly sourced from PropellerAds’ infrastructure. This discovery unveils a complex ecosystem known for facilitating advertising fraud.
The Connection with VexTrio
Vane Viper shares similarities with another threat actor known as VexTrio, which was highlighted in a detailed report by Infoblox during BlackHat USA in August 2025. Like VexTrio, Vane Viper comprises several entities within the advertising sector, primarily consisting of Russian speakers. On the surface, these groups appear distinct; however, they are interlinked and ultimately controlled by a single organization. Both Vane Viper and VexTrio emerged concurrently in 2015 within Eastern Europe and areas of the Russian diaspora, such as Cyprus, hinting at a broader network of cybercriminal collaboration.
Insights from Infoblox Research
Dr. Renée Burton, VP of Threat Intel at Infoblox, emphasized the alarming trend in which cybercriminals are not just leveraging adtech platforms but are, in fact, a part of them. “Many bad actors hide in plain sight, creating operations that provide them with plausible deniability,” she stated. Her insights suggest that Vane Viper is part of a larger wave of traffic distribution systems that have emerged since 2015 and are largely dominated by Russian interests in Europe and Cyprus.
Key Findings
1. Ubiquity in Networks: Vane Viper is identified in about 50% of Infoblox client networks, generating over 1 trillion DNS queries in the last year.
2. Malicious Tactics: The actor operates through PropellerAds and its subsidiaries, employing compromised sites and misleading ads to spread malware, phishing schemes, and ad fraud.
3. Corporate Complexity: The use of corporate shell games protects Vane Viper, allowing it to maintain plausible deniability and avoid accountability for its actions.
4. Dangerous Connections: Its infrastructure shows overlaps with Webzilla/XBT Holdings, which has been associated with high-profile ad fraud, Russian disinformation efforts, and piracy.
5. Evasive Techniques: Vane Viper employs push notification abuse, traffic distribution systems, and cloaking methods to evade detection.
6. Longevity and Scale: The network encompasses over 60,000 domains, many of which are ephemeral; however, some have remained operational for over 1,200 days.
7. High-Risk Associations: Links to Russian oligarchs, convicted fraudsters, and adult content platforms indicate the pervasive risk posed by this operation.
Implications for the Digital Advertising Ecosystem
This extensive report from Infoblox illustrates how malicious actors manipulate the adtech industry to exploit users online. While adtech platforms promise expansive reach for advertisers, they also introduce significant risks. Vane Viper exemplifies the consequences of unchecked growth within this industry—its practices threaten users’ digital safety globally, all disguised as legitimate business operations aimed at profit.
