'Vane Viper' Threat Group Tied to PropellerAds, Commercial Entities
Summary:
Researchers at Infoblox have uncovered a sprawling malvertising ecosystem referred to as Vane Viper, which they assess is deeply intertwined with the Cypriot firm AdTech Holding and its well-known subsidiary PropellerAds. Unlike many malvertising campaigns that simply exploit advertising platforms, Vane Viper appears to function as both the infrastructure provider and the operator of malicious campaigns. Over the past year, the operation has generated close to one trillion DNS queries across customer networks, making it one of the most pervasive threats observed. The group relies on a constantly changing network of roughly 60,000 domains and leverages push-notification abuse, cloaking kits, and traffic distribution systems to funnel victims from seemingly benign websites and ads into harmful destinations. These include fraudulent apps, phishing pages, scams, and malware such as trojans and credential stealers. Vane Viper campaigns have also been observed hijacking browser history, forcing push-notification permissions, and abusing service-worker scripts to maintain persistence on user devices.
Corporate and infrastructure links show Vane Viper’s overlap with entities long tied to high-risk activity. Domains are bulk-registered through URL Solutions/Pananames, a registrar flagged for cybercrime associations, while hosting infrastructure frequently maps back to Webzilla/Servers.com, companies previously implicated in ad fraud, piracy operations, and even Russian disinformation campaigns. Leadership and ownership records reveal recurring executives, offshore shell companies, and legal representation connected to past cases of gambling, piracy, and malvertising.
Security Officer Comments:
Infoblox notes that while PropellerAds has historically denied responsibility for malicious traffic routed through its platform, technical evidence and campaign artifacts strongly suggest that in some cases the malicious activity originates from PropellerAds infrastructure itself. This blurs the line between victim and enabler, making plausible deniability less credible. The discovery underscores how the broader adtech ecosystem, built for speed, scale, and monetization rather than accountability, can be systematically exploited or even co-opted outright by cybercriminal operations. Vane Viper exemplifies how mainstream digital advertising channels can be weaponized to deliver threats globally, raising risks not just for end users but also for enterprises whose employees may unknowingly encounter malicious ads during routine browsing.
Suggested Corrections:
Block known infrastructure: Actively monitor and block domains and IP ranges associated with PropellerAds, Webzilla, URL Solutions, and related TDS infrastructure. Threat intel feeds should be updated with emerging Vane Viper indicators of compromise.
Filter malicious ads: Implement ad-blocking at the enterprise level, particularly on unmanaged or non-essential web traffic, to reduce exposure to malvertising. Secure DNS and web proxy solutions can help filter known bad ad networks and redirect domains.
Restrict push notifications: Configure browsers and endpoint policies to disable or tightly restrict web push notifications, as Vane Viper heavily abuses these for persistence and redirection.
Apply script and content filtering: Use endpoint security controls or secure web gateways to block execution of suspicious JavaScript, service workers, and cloaking scripts that often appear in malvertising campaigns.
Harden user browsers: Ensure browsers are patched and configured with strong security policies. Disable automatic downloads and prevent installation of unapproved browser extensions.
Link(s):
https://www.darkreading.com/vulnerabilities-threats/vane-viper-threat-group-propellerads
https://blogs.infoblox.com/threat-i...-driven-insights-into-a-malicious-ad-network/
Researchers at Infoblox have uncovered a sprawling malvertising ecosystem referred to as Vane Viper, which they assess is deeply intertwined with the Cypriot firm AdTech Holding and its well-known subsidiary PropellerAds. Unlike many malvertising campaigns that simply exploit advertising platforms, Vane Viper appears to function as both the infrastructure provider and the operator of malicious campaigns. Over the past year, the operation has generated close to one trillion DNS queries across customer networks, making it one of the most pervasive threats observed. The group relies on a constantly changing network of roughly 60,000 domains and leverages push-notification abuse, cloaking kits, and traffic distribution systems to funnel victims from seemingly benign websites and ads into harmful destinations. These include fraudulent apps, phishing pages, scams, and malware such as trojans and credential stealers. Vane Viper campaigns have also been observed hijacking browser history, forcing push-notification permissions, and abusing service-worker scripts to maintain persistence on user devices.
Corporate and infrastructure links show Vane Viper’s overlap with entities long tied to high-risk activity. Domains are bulk-registered through URL Solutions/Pananames, a registrar flagged for cybercrime associations, while hosting infrastructure frequently maps back to Webzilla/Servers.com, companies previously implicated in ad fraud, piracy operations, and even Russian disinformation campaigns. Leadership and ownership records reveal recurring executives, offshore shell companies, and legal representation connected to past cases of gambling, piracy, and malvertising.
Security Officer Comments:
Infoblox notes that while PropellerAds has historically denied responsibility for malicious traffic routed through its platform, technical evidence and campaign artifacts strongly suggest that in some cases the malicious activity originates from PropellerAds infrastructure itself. This blurs the line between victim and enabler, making plausible deniability less credible. The discovery underscores how the broader adtech ecosystem, built for speed, scale, and monetization rather than accountability, can be systematically exploited or even co-opted outright by cybercriminal operations. Vane Viper exemplifies how mainstream digital advertising channels can be weaponized to deliver threats globally, raising risks not just for end users but also for enterprises whose employees may unknowingly encounter malicious ads during routine browsing.
Suggested Corrections:
Block known infrastructure: Actively monitor and block domains and IP ranges associated with PropellerAds, Webzilla, URL Solutions, and related TDS infrastructure. Threat intel feeds should be updated with emerging Vane Viper indicators of compromise.
Filter malicious ads: Implement ad-blocking at the enterprise level, particularly on unmanaged or non-essential web traffic, to reduce exposure to malvertising. Secure DNS and web proxy solutions can help filter known bad ad networks and redirect domains.
Restrict push notifications: Configure browsers and endpoint policies to disable or tightly restrict web push notifications, as Vane Viper heavily abuses these for persistence and redirection.
Apply script and content filtering: Use endpoint security controls or secure web gateways to block execution of suspicious JavaScript, service workers, and cloaking scripts that often appear in malvertising campaigns.
Harden user browsers: Ensure browsers are patched and configured with strong security policies. Disable automatic downloads and prevent installation of unapproved browser extensions.
Link(s):
https://www.darkreading.com/vulnerabilities-threats/vane-viper-threat-group-propellerads
https://blogs.infoblox.com/threat-i...-driven-insights-into-a-malicious-ad-network/