SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Realistic illustration shadowy hooded figure computer dark room multiple monitors code dollar bills online fraud
#
MarTech
#
Advanced Persistent Threat Protection
#
Cybersecurity

Vane Viper linked to over 1 trillion DNS queries & ad fraud scams

Wed, 17th Sep 2025
Author image
By Melvin Hipolito, Editor

Infoblox Threat Intel has published new research detailing the operations and reach of Vane Viper, a threat actor posing as a legitimate adtech business.

The research highlights that Vane Viper has maintained a significant presence in roughly half of Infoblox customer networks, accumulating more than 1 trillion DNS queries in the past year alone. According to Infoblox, the group's activities encompass a variety of scams and direct malware distribution through affiliate advertising programmes, including operations via PropellerAds and other companies under AdTech Holding.

Infoblox's investigation, which has spanned over three years, identifies Vane Viper as a core actor in a network involving compromised websites and misleading advertisements. Through these mechanisms, the actor conducts malware distribution, phishing attacks, and ad fraud campaigns on a global scale. Several of their domains rank within the top 10,000 websites globally, with one tracking domain reaching the top 1,000, based on Tranco data.

Pervasive and persistent

The analysis found that Vane Viper is not acting as an unwitting intermediary but is a direct enabler and active participant in malicious operations. In addition to sending users to affiliate sites hosting harmful content, Infoblox researchers documented incidents where PropellerAds directly delivered malware to their investigation team.

Years of DNS data allowed Infoblox to map out an ecosystem built on a history of advertising fraud. The research noted that the range of companies tied to Vane Viper also feature opaque ownership and shell structures, a strategy that allows the group to maintain plausible deniability and avoid accountability.

The group's infrastructure shows overlaps with other organisations previously connected to high-profile ad fraud and disinformation campaigns, including connections to Webzilla/XBT Holdings, which has been linked with the Methbot ad fraud scheme, Russian disinformation efforts, and piracy networks.

Techniques and tactics

To avoid detection and extend their reach, Vane Viper uses a mix of push notification abuse, traffic distribution systems (TDSs), and cloaking strategies. Domain infrastructure is extensive, with the network reportedly using over 60,000 domains – some remaining active for mere days, and others persisting for more than three years.

Corporate relationships within this environment are further complicated by links to other outfits managed by Russian speakers. Vane Viper operates in parallel with groups like VexTrio, both emerging from Eastern Europe and Russian diaspora communities in places such as Cyprus around 2015. While the two have publicly advertised partnerships, Infoblox's assessment holds that they function as separate entities.

According to the new analysis, these operations are not limited to indirect abuse of adtech infrastructure but involve direct, deliberate participation. The report points not only to malware campaigns and ad fraud, but also to connections with Russian oligarchs, previously convicted individuals, and adult content platforms.

Industry implications

The research raises industry-wide concerns over the ability of malicious actors to leverage mainstream adtech systems. With the rapid growth of the adtech sector, white-labelled businesses and convoluted structures are enabling threat actors to operate openly for extended periods.

"Our research has increasingly found that cybercriminals aren't just exploiting adtech platforms, sometimes, they are the adtech platforms," said Dr. Renée Burton, VP of Threat Intel. "In the past we thought of the digital underworld as operating in the shadowy corners of the internet, but we have found that many bad actors instead hide in plain sight, establishing 'plausible deniability' by creating a series of commercial operations. Vane Viper is one of several large-scale TDS operators we are tracking, all of which seem to have emerged in 2015 and controlled by Russian diaspora in Europe and Cyprus."

The findings emphasise that the risk is not hypothetical. The engagement of advertisers with platforms such as AdTech Holding has, according to Infoblox, exposed companies to serious reputational, operational, and security risks. Infoblox cautions that using these platforms could inadvertently support large criminal enterprises and may result in websites being blacklisted, eroding user trust and brand safety.

Infoblox continues its tracking and reporting on this sector, underlining the need for vigilance and transparency in digital advertising partnerships.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Time to call up AI reinforcements in the cyber wars
Fujitsu appoints Kendy Hau to lead Defence for Oceania region
Macquarie Telecom & Fortinet launch unified secure network solution
Infotrust debuts on ASX, unifying cyber & IT services focus
2026 trends: AI’s impact on advertising strategy and execution

Top stories

LexisNexis launches enhanced IDVerse with deepfake detection
Aisuru botnet drives record surge in DDoS attacks worldwide
Abnormal AI named a leader again in 2025 Gartner email security
Gallagher Security wins OSPA for High Sec C7000 controller
Ransomware tactics shift as manufacturing faces data theft surge