Ethical Hacking News
Vane Viper, a notorious threat actor, has been revealed to be behind a massive 1 trillion DNS queries that have powered a global network of malware and ad fraud schemes. This staggering figure highlights the scope and audacity of Vane Viper's operations, which have allegedly spanned over a decade.
Vane Viper is behind an unprecedented 1 trillion DNS queries powering a global network of malware and ad fraud schemes.The threat actor has allegedly spanned over a decade in its operations, using complex shell companies and opaque ownership structures to evade responsibility.Vane Viper abuses push notification permissions to serve ads even after users have navigated away from the initial page, compromising user privacy and creating a lucrative revenue stream.The threat actor's persistence techniques are highlighted by the DeceptionAds campaign, which leverages its malicious ad network for social engineering campaigns.Vane Viper shares infrastructure and personnel ties with URL Solutions, Webzilla, and XBT Holdings, adding complexity to its operations.The operation comprises approximately 60,000 domains, with some remaining active for over a year.PropellerAds has denied any wrongdoing, but Infoblox warns that Vane Viper's activities pose a significant risk to users worldwide.
Vane Viper, a threat actor shrouded in mystery and deception, has been revealed to be behind an unprecedented 1 trillion DNS queries that have powered a global network of malware and ad fraud schemes. This staggering figure, as reported by the cybersecurity firm Infoblox, highlights the scope and audacity of Vane Viper's operations, which have allegedly spanned over a decade.
At the heart of this malicious endeavor lies a complex web of shell companies and opaque ownership structures, designed to evade responsibility and accountability. According to Infoblox, Vane Viper has provided core infrastructure for widespread malvertising, ad fraud, and cyber threat proliferation, making it a formidable player in the dark underbelly of the internet.
One of the most striking aspects of Vane Viper's tactics is its abuse of push notification permissions to serve ads even after users have navigated away from the initial page. This approach relies on service workers, which maintain a persistent headless browser process to listen for events and serve unwanted notifications. This technique not only compromises user privacy but also creates a lucrative revenue stream for Vane Viper.
The threat actor's persistence techniques have been highlighted by Guardio Labs in a campaign dubbed DeceptionAds, which leverages Vane Viper's malicious ad network to facilitate ClickFix-style social engineering campaigns. This activity has been attributed to a company named Monetag, which is revealed to be a subsidiary of PropellerAds, a commercial ad technology company that, in turn, is a subsidiary of AdTech Holding.
Domains linked to PropellerAds have long been flagged for facilitating malvertising campaigns and driving traffic to exploit kits or other fraudulent sites. Further analysis has uncovered evidence suggesting that several ad-fraud campaigns have originated from infrastructure attributed to PropellerAds. The fact that Vane Viper appears to share infrastructure and personnel ties with URL Solutions (aka Pananames), Webzilla, and XBT Holdings adds further complexity to its operations.
Vane Viper's network is comprised of approximately 60,000 domains, most of which remain active for less than a month. However, there are a few domains that have been active for over 1,200 days, including the original omnatuor[.]com, propeller-tracking[.]com, and several others centered around push notification services.
The operation has been found to register vast numbers of new domains each month, scaling a high of 3,500 domains in the month of October 2024 alone. This significant jump from less than 500 domains registered in April 2023 underscores the scope and adaptability of Vane Viper's operations.
PropellerAds, however, has denied any wrongdoing, claiming that it is "nothing more than an automated intermediary to help advertisers find the best publishers to publish their advertisements." Nevertheless, Infoblox has warned that Vane Viper's activities pose a significant risk, stating, "Vane Viper isn't just a threat actor hiding behind an adtech platform... It's a threat actor as an adtech platform. AdTech Holding claims to offer advertisers reach and monetization at scale, but what it actually delivers is risk."
As the cybersecurity landscape continues to evolve, it has become increasingly clear that Vane Viper's malicious ad network poses a significant threat to users worldwide. With its ability to evade detection and adapt to changing circumstances, this threat actor remains a force to be reckoned with in the world of cyber threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Vane-Vipers-Sinister-Web-Uncovering-the-Malicious-Adtech-Network-Behind-1-Trillion-DNS-Queries-ehn.shtml
https://thehackernews.com/2025/09/vane-viper-generates-1-trillion-dns.html
Published: Fri Sep 26 08:50:43 2025 by llama3.2 3B Q4_K_M
