For 10 years, right under everyone's nose: Vane Viper controls a trillion requests a day — and your browser is helping it.
Your browser has been working for someone else for a long time.
Your browser has been working for someone else for a long time.
For over a decade, the Vane Viper network has remained one of the largest hidden players in the malicious online advertising sphere. The latest report from Infoblox, prepared in collaboration with Guardio and Confiant, reveals that this entity has managed to build an entire ecosystem where ad tech is used as a cover for distributing malware and fraudulent schemes. The report emphasizes that approximately one trillion DNS requests passed through the Vane Viper infrastructure in the last year, accounting for nearly half of all traffic in Infoblox's client networks.
The organization, also known as Omnatuor, operates on the principle of a large intermediary: it not only redirects traffic to malware loaders and phishing sites but also independently launches advertising campaigns that replicate the techniques of already exposed click-fraud schemes. Its infrastructure is built on thousands of compromised websites, predominantly running on WordPress. These sites host pages that redirect visitors to advertising traps, malicious browser extensions, fake online stores, dubious software download services, and even mobile trojans like the Android malware Triada.
One of the key tools for retaining the audience remains push notifications: attackers trick the browser into saving permission to display messages, after which, using a service worker, ads continue to be delivered even after the user leaves the originating site. This technique turns the browser into a background channel for distributing intrusive notifications and malicious links.
A similar technique was already used in the DeceptionAds operation, exposed by Guardio Labs, where the Vane Viper network was used to implement social campaigns in the style of ClickFix. These connections led analysts to the company Monetag, which turned out to be a subsidiary of PropellerAds. The latter, in turn, is part of AdTech Holding, registered in Cyprus.
The investigation showed that domains linked to PropellerAds regularly appear in schemes redirecting traffic to exploit kits and fraudulent platforms. Furthermore, the Vane Viper infrastructure has overlaps with companies such as URL Solutions (also known as Pananames), Webzilla, and XBT Holdings. The portfolio of AdTech Holding, besides PropellerAds and Monetag, includes other services: ProPushMe, Zeydoo, Notix, and Adex.
Today, Vane Viper has about 60 thousand domains at its disposal, with most living no longer than a month. However, there are resources with multi-year activity, including omnatuor[.]com and propeller-tracking[.]com. Starting in 2023, the attackers have been actively registering new domain names through URL Solutions: if in the spring of 2023 their number did not exceed 500 per month, by October 2024 the figure exceeded 3.5 thousand. In total, the share of Vane Viper domains in mass registration reached almost half. This approach allows them to constantly update their pool of sites and circumvent blocklists.
Despite direct evidence, PropellerAds publicly denies the accusations, claiming that the service is merely an automated platform connecting advertisers with publishers and has no relation to the ad content. However, Infoblox analysts note that this is not a criminal hiding behind an ad network, but a full-fledged malicious actor that has itself become an advertising platform. According to them, under the guise of "mass reach and monetization," clients actually face infection risks and involvement in a global fraud network.
Vane Viper demonstrates that the boundaries between the legitimate advertising market and cybercrime can be intentionally blurred. The use of domain farms, push notification services, and massive infrastructure has elevated this network to the level of a global player, controlling huge volumes of traffic and supplying it to the shadow market.
