The Gaming Boardroom

‘Vane Viper’ Threat Group Tied to PropellerAds, Commercial Entities

Steve Tyler Leave a comment

‘Vane Viper’ Threat Group Tied to PropellerAds, Commercial Entities

Summary

Infoblox research reveals that a long-running cybercrime operation dubbed “Vane Viper” is tightly linked to PropellerAds and its parent AdTech Holding. The operation uses hundreds of thousands of compromised sites and malicious advertising to redirect users into exploit kits, malware droppers, botnets, scams and ransomware. Infoblox attributes roughly 1 trillion DNS queries and about 60,000 domains to the activity and says the operation leverages CDN-grade infrastructure and a traffic distribution system (TDS) to obfuscate its chains.

Investigators found technical evidence and business records tying PropellerAds, registrars and hosting providers (including Pananames/URL Solutions, Webzilla and CloudOne-related entities) into a tangled web of shared infrastructure and personnel. Infoblox concludes, with medium to high confidence, that Vane Viper is not simply abusing an adtech platform but is functioning as an adtech platform in its own right.

Key Points

  • Vane Viper has been active for over a decade and is highly prevalent across networks observed by Infoblox.
  • Infoblox recorded about 1 trillion DNS queries tied to the operation and attributed approximately 60,000 domains to PropellerAds-related infrastructure.
  • The group exploits compromised WordPress sites, push/pop notifications and malvertising to funnel traffic to malware, phishing, tech-support scams and botnets.
  • Evidence links PropellerAds and AdTech Holding to registrars and hosting firms (Pananames/URL Solutions, Webzilla, CloudOne/XBT) that have histories of abuse.
  • Infoblox describes the operation as “a threat actor as an adtech platform,” undermining typical adtech plausible deniability.
  • Corporate and personal ties — including connections to figures associated with XBT Holdings and TechIsland — amplify concerns about opaque ownership and shared infrastructure.
  • The scale and stealth of the campaign put both consumers and enterprise users at risk, especially given blurred home/work browsing habits.

Context and relevance

This report surfaces broader systemic problems in the digital ad ecosystem: rapid, scalable monetisation was prioritised over accountability, creating fertile ground for abuse. For security teams, ad ops and risk officers, the findings highlight that malicious traffic can originate from legitimate-looking adtech supply chains, not just third-party miscreants. The ties between registrars, hosting providers and ad networks underscore why supply-chain visibility and DNS telemetry matter.

Why should I read this?

Short version: if you care about protecting users or your network, this matters. Infoblox has connected the dots between an enormous malvertising operation and a commercial ad network — so the threat isn’t just ‘some dodgy advert’ anymore, it’s structural. We’ve saved you the deep dive: read this to understand the scale, the infrastructure and why adtech trust models are broken.

Source

Source: https://www.darkreading.com/vulnerabilities-threats/vane-viper-threat-group-propellerads

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2026 The Gaming Boardroom. All rights reserved.