The threat actor known as Vane Viper has been outed as a purveyor of malicious ad technology (adtech), while relying on a tangled web of shell companies and opaque ownership structures to deliberately evade responsibility.
"Vane Viper has provided core infrastructure in widespread malvertising, ad fraud, and cyberthreat proliferation for at least a decade," Infoblox said in a technical report published last week in collaboration with Guardio and Confiant.
"Vane Viper not only brokers traffic for malware droppers and phishers, but appears to run their own campaigns, consistent with previously documented ad-fraud techniques."
Vane Viper, also called Omnatuor, was previously documented by the DNS threat intelligence firm in August 2022, describing it as a malvertising network akin to VexTrio Viper that takes advantage of vulnerable WordPress sites to build a massive network of compromised domains and use them to spread riskware, spyware, and adware.
One of the notable aspects of the threat actor's persistence techniques is the abuse of push notification permissions to serve ads even after the user navigates away from the initial page by altering browser settings. This approach relies on service workers, which maintain a persistent headless browser process to listen for events and serve unwanted notifications.
Late last year, Guardio Labs laid bare a campaign dubbed DeceptionAds that was found to leverage Vane Viper's malicious ad network to facilitate ClickFix-style social engineering campaigns. The activity was attributed to a company named Monetag, which, according to Infoblox, is a subsidiary of PropellerAds, a commercial ad technology company that, in turn, is a subsidiary of AdTech Holding, a holding company based in Cyprus.
Domains linked to ProperllerAds have long been flagged for facilitating malvertising campaigns and driving traffic to exploit kits or other fraudulent sites. Further analysis has uncovered evidence suggesting that several ad-fraud campaigns have originated from infrastructure attributed to PropellerAds.
The cybersecurity company said Vane Viper has accounted for about 1 trillion DNS queries over the past year in about half of its customer networks, adding the threat actor takes advantage of hundreds of thousands of compromised websites and malicious ads that redirect unsuspecting site users to malicious browser extensions, fake shopping sites, adult content, survey scams, fake apps, sketchy software downloads, and malware, including an Android malware called Triada in one case.
What's more, Vane Viper appears to share infrastructure and personnel ties with URL Solutions (aka Pananames), Webzilla, and XBT Holdings, with the former also linked to disinformation sites set up by a Russian influence operation called Doppelgänger. Some of the other companies owned by AdTech Holding include ProPushMe, Zeydoo, Notix, and Adex.
About 60,000 domains are assessed to be part of Vane Viper's infrastructure, most of which only remain active for less than a month. However, there are a few domains that have been active for over 1,200 days, including the original omnatuor[.]com, propeller-tracking[.]com, and several others centered around push notification services.
The operation has been found to register vast numbers of new domains each month, scaling a high of 3,500 domains in the month of October 2024 alone, a significant jump from less than 500 domains registered in April 2023. Vane Viper domains make up nearly 50% of bulk-registered domains via URL Solutions since 2023, per the company.
PropellerAds, however, has previously denied any wrongdoing, stating it's "nothing more than an automated intermediary to help advertisers find the best publishers to publish their advertisements," and that it "does not endorse, support, or encourage any malicious advertisement on its network."
"Vane Viper isn't just a threat actor hiding behind an adtech platform," Infoblox noted. "It's a threat actor as an adtech platform. AdTech Holding claims to offer advertisers reach and monetization at scale, but what it actually delivers is risk."
"Vane Viper hides behind the plausible deniability of operating as an advertising network, while using their TDS [traffic distribution system] to deliver multiple kinds of threats."
