The threat actor known as Vane Viper has been outed as a purveyor of malicious ad technology, employing a tangled web of shell companies and opaque ownership structures to deliberately evade responsibility. A technical report by Infoblox, produced in collaboration with Guardio and Confiant, characterizes Vane Viper as a core infrastructure provider in malvertising, ad fraud and cyberthreat proliferation for at least a decade. Infoblox notes that the actor not only brokers traffic for malware droppers and phishers, but appears to run campaigns themselves, aligning with documented ad-fraud techniques.
The network, sometimes referred to by aliases such as Omnatuor, has operated across a sprawling ecosystem that taps hundreds of thousands of compromised websites and malicious ads to redirect users to browser extensions, fake shopping sites, and other fraud schemes. Infoblox estimates Vane Viper accounts for roughly 1 trillion DNS queries over the past year across about half of its customer networks.
Analysts say the operation leverages a long-running, global infrastructure that includes hundreds of thousands of domain registrations, with about 60,000 domains assessed as part of its footprint. A subset of these domains has remained active for years, while others appear and disappear on a monthly basis. The activity is tied to a broader AdTech ecosystem that includes PropellerAds and related networks, which Infoblox describes as a carrier for riskware and other threats.
Beyond malvertising, the campaign framework leverages push notification permissions to serve ads even after a user leaves a page, aided by service workers that maintain a headless browser process to listen for events. For researchers, this technique underscores a shift toward persistence in user-targeted ads. More technical context on service workers and browser notification threats can be found in analyses such as service worker-based notification threats.
The investigation also highlights connections to monetization networks. Monetag, described in prior Guardio Labs work as a component of a broader adtech ecosystem, is cited as part of DeceptionAds-era activity that leveraged Vane Viper’s network to support ClickFix-style social-engineering campaigns. PropellerAds, a business linked to AdTech Holding, has publicly denied wrongdoing, stating it provides an automated intermediary to connect advertisers with publishers and does not endorse malicious content.
In terms of scale, Infoblox reports that around 60,000 domains are actively used in the network, with a large portion dormant for short periods before new domains are registered. The organization notes that bulk-registered domains, many associated with push notification services, form the backbone of the operation. The estimated growth in domain registrations surged to a yearly high of about 3,500 in October 2024, compared with fewer than 500 in April 2023.
PropellerAds and associated entities, including AdTech Holding and its other holdings, have faced scrutiny in the industry. The broader network is said to share infrastructure and personnel ties with URL Solutions (aka Pananames), Webzilla, and XBT Holdings, though details and links to some related observations are often circulated in industry reports rather than direct corporate disclosures. Analysts emphasize that Vane Viper operates not just as an actor leveraging adtech, but as an adtech platform in itself, amplifying risk across hundreds of thousands of domains and advertisers.
The report also draws attention to the sheer scale of the DNS query workload generated by the network, with Infoblox estimating that roughly half of its monitored customer networks were affected to some degree in the past year. The DNS-centric angle underscores how trust and infrastructure in adtech can become a vector for broader cyber threats, including riskware and spyware campaigns.