‘Vane Viper’ Revealed: New Infoblox Research Uncovers Large-Scale Malicious Ad Network [UPDATED]
A Threat Actor Masquerading as a Legitimate AdTech Enterprise?

(Editor’s Note: A previous version of this article was based solely on the Infoblox blog “Deniability by Design: DNS-Driven Insights into a Malicious Ad Network” and a subsequent press release furnished by said company. Propeller Ads has since released a statement refuting the claims therein. This version is an update of the original and now reflects Proller Ads’ views and categorical denial. For a full copy of it, click HERE.)
Infoblox Threat Intel has released groundbreaking reporting on “Vane Viper,” a threat actor masquerading as a legitimate AdTech enterprise. This group is responsible for facilitating a variety of scams and malware distribution through their affiliate advertising programs are but also directly involved in malware distribution.
Infoblox Threat Intel has been tracking Vane Viper, originally reported as Omnatuor, for over three years. This actor has been a top priority for Infoblox research due to its pervasive presence in customer networks: Vane Viper malvertising domains are seen in around 50% of customer networks. Vane Viper’s reach is global: several of their domains are in the top 10k globally, according to Tranco, with one tracking domain reaching the top 1k.
Discoveries About Vane Viper
Infoblox Threat Intel discovered that Vane Viper is AdTech Holding, the parent company of the infamous PropellerAds. The AdTech enterprise benefits from compromised websites and deceptive ads launched by publishing affiliates to distribute malware and digital fraud campaigns. While the security industry has long questioned the integrity of PropellerAds, this report brings concrete evidence of malfeasance by the company.
Analysing years of DNS detections and actively engaging Vane Viper through links that led to their traffic distribution system (TDS) showed that they are not an abused provider, but a complicit enabler and active participant in malicious activities. Not only did PropellerAds send users to harmful content hosted by their affiliates, but PropellerAds directly delivered malware to Infoblox researchers on multiple occasions. This led to the discovery of an ecosystem with a history of hosting advertising fraud schemes.
Vane Viper is like VexTrio Viper, commonly referred to as VexTrio, which was the subject of in-depth reporting by Infoblox launched at BlackHat USA in August 2025. Like VexTrio, Vane Viper is comprised of several companies within the advertising industry, dominated by Russian speakers, that present themselves as separate entities but are all held by a single group. Vane Viper and VexTrio are part of a cohort that emerged almost simultaneously in 2015 in Eastern Europe and Russian diaspora centres, such as Cyprus. VexTrio and Vane Viper advertise their partnerships with one another, but they appear to be independent groups.
“Our research has increasingly found that cybercriminals aren’t just exploiting AdTech platforms, sometimes, they are the AdTech platforms,” said Dr. Renée Burton, VP of Threat Intel. “In the past we thought of the digital underworld as operating in the shadowy corners of the internet, but we have found that many bad actors instead hide in plain sight, establishing ‘plausible deniability’ by creating a series of commercial operations. Vane Viper is one of several large-scale TDS operators we are tracking, all of which seem to have emerged in 2015 and controlled by Russian diaspora in Europe and Cyprus.”
Propeller Ads Categorically Denies
Propeller Ads, for its part, has categorically denied any wrongdoing. In a statement, the company describes Infoblox’s findings as fake and a misrepresentation of the company’s work, its products, and its services. It further clarifies that Infoblox’s claims constitute a “false narrative built on circumstantial details.”
“[Infoblox] intentionally constructs a false narrative based on superficial elements such as shared contractors, registrars, or public records in order to mislead. As Infoblox surely knows, it is common for multiple companies to use the same vendors or infrastructure providers. Such coincidences do not prove ownership, control, or affiliation and certainly do not prove or even suggest improper business practices,” wrote Propeller Ads in a statement refuting Infoblox’s wide-ranging claims.
The company added: “The Defamatory [Infoblox] Article also misrepresents our technology. Our platform’s logic is public and transparent: advertisers and publishers define campaign conditions, while our technology ensures automation, quality, and safety. All technologies we use, including push notifications, landing pages, traffic distribution systems (TDS), and other industry-standard tools, are legitimate, widely recognized, and openly applied across the global advertising ecosystem. Suggesting otherwise not only misinterprets our work, but also shows a lack of understanding of how modern digital advertising actually operates.”
“The Defamatory [Infoblox] Article further misrepresents the technical aspects of our infrastructure. All our domains are lawfully acquired from official ICANN-accredited registrars at prevailing market rates. DNS queries directed to our servers occur as part of the normal and lawful operation of our advertising technology, and are essential to ensuring service reliability and performance for publishers and advertisers. Such activity cannot be reasonably construed as indicative of malicious conduct,” Propeller Ads further explained in the statement.
More Key Findings
- Vane Viper is seen in about half of Infoblox customer networks, generating over 1 trillion DNS queries in the past year.
- The actor operates through PropellerAds and other subsidiaries of AdTech Holding, using compromised websites and deceptive ads to distribute malware, phishing and ad fraud campaigns. This is just one of many companies in their enterprise.
- Corporate shell games and opaque ownership structures enable plausible deniability, shielding Vane Viper from accountability.
- Infrastructure overlaps with Webzilla/XBT Holdings, previously linked toMethbot ad fraud, Russian disinformation campaigns and piracy platforms.
- Vane Viper uses push notification abuse, traffic distribution systems (TDSs) and cloaking techniques to evade detection and maintain persistence.
- The network includes 60,000+ domains, many active for only days, with some persisting for over 1,200 days.
- Connections to Russian oligarchs, convicted fraudsters and adult content platforms further underscore the risk and scale of the operation.
The Infoblox report highlights how malicious actors are leveraging the AdTech industry to prey on users across the web. On the promise of reach for advertisers, platforms including AdTech Holding instead deliver unprecedented risk. By engaging with such platforms, companies may unknowingly fuel a vast criminal enterprise—risking reputation damage, broken user trust, and potentially have their sites blacklisted. Vane Viper shows how the rapid growth of the AdTech industry is eroding the digital safety of users, putting profit ahead of accountability.
Again, Propeller Ads refutes Infoblox’s claims, dismissing it as an attempt by the company to “prop up its own commercial value by inventing a problem that actually does not exist.” The company then pointed to what it claims is Infloblox’s “history of such business tactics” that have put it in legal hot water.
“The text and tactics employed in the Defamatory Article suggest that Infoblox authored and published it in order to prop up its own commercial value by inventing a problem that actually does not exist. Indeed, it appears that Infoblox has a history of such business tactics. Infoblox Inc., was publicly traded until 2016 (see https://www.infoblox.com/company/news-events/press-releases/infoblox-announces-agreement-to-be-acquired-by-vista-equity-partners/). Since that time, transparency has decreased: ownership structure and ultimate control are no longer disclosed with the same rigor required of public companies. This naturally raises the question of who currently influences the direction and content of such publications, and how much weight can reasonably be placed on the conclusions of a company whose own transparency is limited,” wrote Propeller Ads in its statement.
It added: “Infoblox has also been involved in legal disputes, including shareholder lawsuits and patent litigation, such as ThreatSTOP, Inc. v. Infoblox, Inc. (https://news.bloomberglaw.com/ip-law/threatstop-says-infoblox-used-pact-to-land-cyber-security-patent). While we take no position on the merits of those cases, their existence could give the impression of a company prepared to act irresponsibly in pursuit of its interests. The style and framing of Infoblox’s blog publications strongly resemble well-documented FUD (Fear, Uncertainty, and Doubt) tactics – a communication method in which fear and uncertainty are emphasized to influence perception and decision-making. Such techniques have been described historically in the IT industry (see Social-Engineer, Free Yourself from FUD, July 2018) (https://www.social-engineer.com/free-yourself-from-fud). Instead of balanced research, the Defamatory Article is designed to unnecessarily alarm readers and create pressure to adopt Infoblox’s own products and services.”
Read the full blog Infoblox here: https://blogs.infoblox.com/threat-intelligence/deniability-by-design-dns-driven-insights-into-a-malicious-ad-network/.
Read Propeller Ads’ official statement here: https://propellerads.com/vane-viper-defamatory-article-response/



