Vane Viper Malvertising Network Posed as Legit Adtech in Global Scams

Cybersecurity firm Infoblox says it has discovered “Vane Viper,” a massive online ad network that posed as a legitimate business while running global scams and spreading malware.

Linked to previously reported PropellerAds and its parent company AdTech Holding, the operation has been active for nearly a decade and is now being called one of the largest malvertising scams seen to date.

Infoblox Threat Intel tracked Vane Viper for more than three years and found that domains linked to the operation appeared in about half of its customer networks. Some of those domains ranked among the world’s top 10,000 websites, with one tracking domain even breaking into the top 1,000.

According to Infoblox’s investigation shared with Hackread.com, PropellerAds was not simply a victim of abuse by bad actors but was actively delivering malware itself. During testing, Infoblox researchers followed links from Vane Viper’s traffic distribution system and received direct malware payloads from PropellerAds. That evidence, Infoblox argues, proves complicity rather than negligence.

“Although PropellerAds has been implicated in malvertising campaigns by others in the past, proving that they have crossed the line from abused service to complicit enabler has been challenging. We didn’t come to our conclusions lightly.”

“We found compelling evidence that not only has PropellerAds turned a “blind eye” to criminal abuse of their platform, but indicators described below suggest – with moderate-to-high confidence – that several ad-fraud campaigns originated from infrastructure attributed to PropellerAds.”

Infoblox Threat Intel

Infoblox ALSO observed more than one trillion DNS queries linked to its infrastructure in the past year, spread across more than 60,000 domains. Many of these domains are short-lived, active for only days, while others remain live for years to support ongoing campaigns. The group uses bulk domain registrations, push notification abuse and cloaking to keep operations alive while evading takedowns.

The investigation also connects Vane Viper to Webzilla and XBT Holdings, companies previously cited in Russia’s Methbot (aka Boaxxe and Miuref) ad fraud, disinformation efforts, and piracy platforms.

Additionally, corporate records show layers of offshore registrations and opaque ownership, with links to Russian nationals, gambling enterprises, and adult content businesses. These overlapping connections, Infoblox says, create “plausible deniability” that shields the operation from accountability.

A look at the main companies and individuals connected to the Vane Viper network, and the roles they play in the operation (Image credit: Infoblox)

This isn’t the first large-scale adtech-linked threat group Infoblox has reported on. Last month, the company profiled VexTrio, another operation that surfaced in 2015 under similar circumstances. Like Vane Viper, it operates as a cluster of adtech companies run by Russian speakers and has built traffic distribution systems that double as malware delivery engines.

“Cybercriminals aren’t just exploiting adtech platforms,” said Dr. Renée Burton, VP of Threat Intel at Infoblox. “Sometimes, they are the adtech platforms.”

Advertisers and publishers should take Infoblox’s findings as a warning to carefully vet the ad networks they work with. For everyday users, the advice is simpler but just as important: be cautious about clicking links or ads on unfamiliar or untrusted sites.

Infoblox’s full report, including technical details and domain data, is available through its threat intel team.