For more than a decade, the Vane Viper network has remained one of the largest clandestine players in the sphere of malicious online advertising. The latest report from Infoblox, prepared in collaboration with Guardio and Confiant, reveals how this operation has built an entire ecosystem in which advertising technologies serve as a facade for distributing malware and running fraudulent schemes. The report emphasizes that, in the past year alone, Vane Viper’s infrastructure processed nearly one trillion DNS requests—amounting to almost half of all traffic flowing through Infoblox client networks.
Also known under the alias Omnatuor, the organization functions as a vast intermediary. It not only redirects traffic toward malware loaders and phishing sites but also runs its own advertising campaigns that mimic techniques from established click-fraud operations. Its infrastructure relies on thousands of compromised websites—primarily WordPress installations—where attackers deploy pages that funnel visitors into ad traps, malicious browser extensions, counterfeit online shops, dubious software download services, and even mobile malware such as the Triada Android trojan.
A cornerstone of its persistence strategy lies in push notifications. Victims are coerced into granting browser permission to receive notifications, after which service workers continue delivering ads even when the original site is closed. This transforms the browser into a silent background channel for pushing intrusive ads and malicious links.
A similar technique surfaced during Operation DeceptionAds, uncovered by Guardio Labs, where the Vane Viper network powered social-engineering campaigns styled after ClickFix. Investigations traced links back to Monetag, a subsidiary of PropellerAds, itself owned by AdTech Holding, headquartered in Cyprus.
The inquiry further revealed that domains tied to PropellerAds frequently appear in schemes that redirect traffic to exploit kits and fraudulent websites. Moreover, Vane Viper’s infrastructure overlaps with companies such as URL Solutions (also known as Pananames), Webzilla, and XBT Holdings. AdTech Holding’s portfolio, beyond PropellerAds and Monetag, also includes ProPushMe, Zeydoo, Notix, and Adex.
Today, Vane Viper controls an estimated 60,000 domains, most of which remain active for less than a month. Still, some properties—like omnatuor[.]com and propeller-tracking[.]com—have operated for years. Since 2023, attackers have ramped up domain registrations through URL Solutions: from fewer than 500 domains per month in early 2023 to more than 3,500 by October 2024. At present, Vane Viper accounts for nearly half of all mass domain registrations. This constant churn enables the network to replenish its domain pool and evade takedowns.
Despite mounting evidence, PropellerAds publicly denies wrongdoing, insisting it merely acts as an automated platform connecting advertisers with publishers, without responsibility for ad content. Yet, Infoblox researchers counter that the evidence points not to a criminal hiding behind an ad network but to a malicious actor that has itself become the ad network. Under the banner of “reach and monetization,” they argue, clients are instead exposed to the risks of infection and entanglement in a global fraud infrastructure.
The case of Vane Viper underscores how the boundary between the legitimate advertising industry and cybercrime can be deliberately blurred. By exploiting domain farms, push-notification services, and large-scale infrastructure, the network has ascended to the status of a global player—controlling massive volumes of traffic and funneling it into the shadow economy.
