The cybercriminal group known as Vane Viper has been exposed as a key operator in malicious ad technology (adtech). The group has relied on shell companies and unclear ownership structures to avoid accountability while powering large-scale cybercrime operations.
According to a recent technical report published by Infoblox in collaboration with Guardio and Confiant, Vane Viper has played a central role in malvertising, ad fraud, and cyberthreat proliferation for over a decade.
“Vane Viper not only brokers traffic for malware droppers and phishing campaigns but also runs its own ad-fraud operations,” the report noted.
Background and Methods
Vane Viper, also known as Omnatuor, was first profiled in August 2022. It functions as a malvertising network similar to VexTrio Viper, exploiting vulnerable WordPress websites to build a large infrastructure of compromised domains. These domains are used to distribute riskware, spyware, and adware.
One persistence technique involves the abuse of push notification permissions. By manipulating browser settings and using service workers, the group continues to send unwanted notifications long after the user leaves the infected page.
In late 2024, Guardio Labs detailed a campaign called DeceptionAds, which leveraged Vane Viper’s ad network to execute ClickFix-style social engineering scams. The activity was linked to Monetag, a company identified as a subsidiary of PropellerAds, itself part of AdTech Holding, a Cyprus-based corporation.
Scale of Operations
Infoblox estimates that Vane Viper has generated 1 trillion DNS queries in the past year, impacting roughly half of its customer networks. The operation uses hundreds of thousands of compromised websites and malicious ads to redirect victims toward:
- Fake shopping platforms
- Adult content sites
- Survey scams
- Fake applications and software downloads
- Malicious browser extensions
- Android malware such as Triada
The infrastructure involves nearly 60,000 domains, most of which are short-lived, staying active for less than a month. However, some domains, such as omnatuor[.]com and propeller-tracking[.]com, have been active for over three years.
Domain registration activity highlights the scale of the operation. For instance, over 3,500 domains were registered in October 2024, a sharp increase from fewer than 500 in April 2023. Since 2023, almost 50% of bulk-registered domains through URL Solutions have been attributed to Vane Viper.
Corporate Connections
Evidence suggests that Vane Viper shares infrastructure and staff connections with URL Solutions (Pananames), Webzilla, and XBT Holdings. URL Solutions has also been tied to Russian disinformation operations, such as the Doppelgänger campaign. Other AdTech Holding-owned entities include ProPushMe, Zeydoo, Notix, and Adex.
Industry Denials
Despite the mounting evidence, PropellerAds has denied any involvement, claiming to act solely as an automated intermediary that connects advertisers with publishers. The company maintains that it does not support or encourage malicious advertising.
A Threat Actor Masquerading as AdTech
Infoblox researchers argue that Vane Viper is more than a group using an adtech platform — it has become an adtech platform itself, cloaked in the appearance of legitimacy.
“AdTech Holding claims to offer reach and monetization at scale, but what it delivers is risk,” Infoblox said. “Vane Viper hides behind the plausible deniability of being an advertising network, while using its traffic distribution system to deliver multiple kinds of threats.”
