'Vane Viper' Threat Group Tied to PropellerAds, Commercial Entities

Source: RooM the Agency via Alamy Stock Photo

A high-volume cybercrime operation known as "Vane Viper" that's been active for more than a decade is supported by a commercial digital advertising platform with a checkered past, according to security researchers.

Vane Viper takes advantage of hundreds of thousands of compromised websites and malicious ads that redirect unsuspecting Web users to destinations such as exploit kits, malware droppers, botnets, scams, and even ransomware campaigns. Like similar operations, Vane Viper uses a traffic distribution system (TDS) to create complex redirection chains and obfuscate analysis efforts from security researchers.

According to new research from cybersecurity firm Infoblox, Vane Viper is one of the most prevalent threat groups it has observed in the past year, appearing in about half of the company's customer networks and accounting for approximately 1 trillion DNS queries. Typically, cybercriminal groups abuse commercial digital networks by signing up for accounts as if they were legitimate publishers or website owners. But Infoblox's investigation into the activity uncovered a wealth of evidence that tied Vane Viper directly to PropellerAds, a legitimate commercial advertising technology (adtech) firm based in Cyprus, and its parent company AdTech Holding.

Related:'HybridPetya' Ransomware Bypasses Secure Boot

PropellerAds has long been used for malicious activity, including extensive malvertising campaigns. Cybersecurity vendors have repeatedly accused the firm of "looking the other way" on the usage, essentially allowing threat actors to abuse its platform until third parties flag the activity — and even then, researchers say, the company is slow to respond, if at all. But Infoblox said its Vane Viper research shows a whole different dimension of PropellerAds.

The report details technical evidence and business records that tie PropellerAds and AdTech Holding to an array of other entities that drive Vane Viper's activity. Infoblox said the operation features "CDN-grade infrastructure" that jeopardizes the safety of consumers and enterprise users alike.

"Vane Viper isn’t just a threat actor hiding behind an adtech platform," the report states. "It’s a threat actor as an adtech platform. AdTech Holding claims to offer advertisers reach and monetization at scale, but what it actually delivers is risk."

PropellerAds and AdTech Holding have not yet returned a request for comment from Dark Reading.

How Vane Viper Works

Infoblox researchers first began tracking Vane Viper in 2022 as the Omnatuor malvertising network, based on the malicious domain omnatuor[.]com. Similar to the VexTrio cybercrime operation, Vane Viper uses compromised WordPress sites to feed push notifications and pop-up ads that deliver adware, spyware, and other malicious content.

Related:Building Resilient IT Infrastructure From the Start

Researchers continued tracking PropellersAds and this year attributed approximately 60,000 Vane Viper domains to the company. Like many adtech companies, PropellerAds serves as both a demand-side monetization platform for website owners looking to generate ad revenue and a supply-side platform for advertisers looking to market their products and services. The company also serves as a traffic broker that aggregates Web traffic from different sources and "resells" it to advertisers in need of a boost.

In the case of PropellerAds, researchers with Infoblox as well as other cybersecurity companies found the adtech platform was being used as a traffic broker for malware droppers and phishing campaigns, as well as tech support scams, infostealer campaigns, and botnets. But it wasn't until Infoblox took a closer look at the business side of PropellerAds that the research team began to consider that perhaps the adtech platform was a core piece of Vane Viper rather than a hapless victim of abuse.

"We identified threats that were not just coming from external sources that are running on PropellersAds but literally coming from their own network, which implies that they're actually running these scams on their own infrastructure," David Brunsdon, Infoblox threat researcher, tells Dark Reading.

Related:French Advisory Sheds Light on Apple Spyware Activity

That prompted the research team to take a closer look at the infrastructure, including the ASNs leased by the adtech company and domain registrars it used to spin up the tens of thousands of URLs tied to the PropellerAds. That phase of the investigation revealed "a tangled web" that implicates several other companies as well as Russian tech entrepreneurs and convicted fraudsters, Brunsdon says.

The Tangled Web of Vane Viper

When Infoblox researchers began looking at the infrastructure of PropellerAds and its subsidiaries and sister companies like Monetag, they found several curious connections to other entities. Chance Tudor, DNS security researcher at Infoblox, says that examining the business side of Vane Viper allowed the research team to get a broader picture of the maliciousness.

For example, they determined Vane Viper's preferred domain registrar is URL Solutions, more commonly known as Pananames, which is owned by CloudOne Digital, a hosting and cloud service provider.

CloudOne also acquired a company called XBT Holdings and its more well-known subsidiaries, Servers.com and Webzilla, in 2023. "PropellerAds owns multiple Webzilla subnets outright, and Webzilla itself has a checkered past: its infrastructure was used for the Methbot click-fraud farm, Russia’s Doppelgänger disinformation sites, and piracy giant 4shared," the Infoblox report stated. "Our investigation also uncovered a slew of executives with a history of providing services to fraudsters and financial ties to a Russian oligarch."

The "oligarch" in question appears to be Aleksej Gubarev, founder of XBT Holdings. Gubarev is perhaps most well known for his appearance in the controversial "Steele Dossier," a 2016 report of unverified claims regarding Russia's interference in the 2016 US presidential election. The dossier, as well as a later report by a former FBI agent, alleged that XBT companies were used by Russian state-sponsored actors with impunity to conduct malicious activity, including election interference and disinformation campaigns.

Gubarev has denied such allegations. In 2017, he sued Buzzfeed, which published the "Steele Dossier," for libel — but dropped the lawsuit in 2021.

Infoblox's report outlines several connections between Gubarev's companies and AdTech Holding, including overlapping and shared infrastructure, as well as personal and professional ties between key figures at the companies. For example, Gubarev is co-founder and chairman of an organization called TechIsland, a technology incubator in Cyprus formed in 2021.

According to Infoblox's report, TechIsland members include AdTech Holding as well as another Cyprus-based adtech company called Adsterra. Like PropellerAds, Adsterra has a history of red flags and abuse, including repeated connections to a sprawling malvertising campaign known as "Master134."

"None of these links proves coordinated wrongdoing," the report stated. "However, in aggregate, they paint a picture of opaque shareholding, offshore companies in tax havens, and networks repeatedly flagged for malvertising, disinformation, click-fraud, privacy, and ad traffic abuse."

Dark Reading contacted CloudOne for comment, but received no response.

Adtech's 'Plausible Deniability' and a Concerning Pattern

Infoblox said the volume of malicious activity directly tied the companies, coupled with the shared infrastructure and corporate connections, weaken PropellerAds' claim of plausible deniability, which is a common practice among adtech firms.

PropellerAds' defense is that it's no worse than any other adtech platform, Tudor says. And in fact, the company in the past has issued stern denials that it actively engages in malicious activity, and claims it takes "every reasonable step" to prevent abuse. But Infoblox's report claims, with medium to high confidence, that PropellerAds and AdTech Holding are the foundation of Vane Viper.

"URL Solutions, Webzilla, and AdTech Holding form a closely connected trio of firms: domains registered en masse via a registrar steeped in cybercrime, hosted on infrastructure operated by a company that’s hosted everything from Methbot to state-sponsored disinformation, and payloads delivered via an ad network long implicated in malvertising," the report states.

It also puts enterprises at risk, as evidenced by the volume of Vane Viper activity detected in Infoblox customer networks. While many of the websites tied to the operation involved gambling, piracy, and adult content, Tudor says enterprise users, like consumers, are still human and will click on suspicious or shady links despite warning signs.

"It's 2025, and I'm amazed that people don't have any idea of digital hygiene," he says. "There's basic stuff like using an ad blocker or not clicking on a suspicious link, or not trying to find a cheap and free way to watch an NFL game."

Renée Burton, vice president of threat intel at Infoblox, says the blurring of boundaries between work and home environments contributes to the risk. "There's no difference between the home and work anymore," she says. 

Infoblox's report also warned that Vane Viper is a symptom of a larger problem in the digital ad ecosystem: the digital ad ecosystem was designed to be a fast, scalable revenue generator and was never built for accountability — and threat actors are increasingly taking advantage.

"Somewhere along the way, that design became a liability," the report stated. "Vane Viper shows how easy it is to weaponize that ecosystem."