CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Vane Viper Cybercrime Operation Linked to PropellerAds and AdTech Holding

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

The cybercrime operation Vane Viper, active for over a decade, is supported by the commercial digital advertising platform PropellerAds and its parent company AdTech Holding. Vane Viper exploits hundreds of thousands of compromised websites and malicious ads to redirect users to exploit kits, malware droppers, botnets, scams, and ransomware. The operation uses a traffic distribution system (TDS) to create complex redirection chains, making it difficult for security researchers to analyze. Vane Viper is one of the most prevalent threat groups observed in the past year, appearing in about half of Infoblox's customer networks and accounting for approximately 1 trillion DNS queries. The operation features 'CDN-grade infrastructure' that poses a risk to both consumers and enterprise users. Researchers have uncovered evidence tying Vane Viper directly to PropellerAds and AdTech Holding, indicating that the threat group is not just hiding behind the adtech platform but is integral to it. The operation has been linked to various malicious activities, including malvertising campaigns, malware droppers, phishing campaigns, tech support scams, infostealer campaigns, and botnets. Vane Viper has been found to register vast numbers of new domains each month, scaling a high of 3,500 domains in October 2024, and has been linked to the Android malware called Triada.

Timeline

  1. 16.09.2025 22:36 2 articles · 13d ago

    Vane Viper Cybercrime Operation Linked to PropellerAds and AdTech Holding

    Vane Viper has been found to register vast numbers of new domains each month, scaling a high of 3,500 domains in October 2024. Vane Viper domains make up nearly 50% of bulk-registered domains via URL Solutions since 2023. The operation has been linked to the Android malware called Triada. Vane Viper uses push notification permissions to serve ads even after the user navigates away from the initial page by altering browser settings. The operation has been linked to a campaign called DeceptionAds that leverages its malicious ad network to facilitate ClickFix-style social engineering campaigns.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat.

Open in new tab

TA558 Uses AI-Generated Scripts to Deliver Venom RAT in Brazil Hotel Attacks

TA558, tracked as RevengeHotels, has launched new attacks targeting hotels in Brazil and Spanish-speaking markets. The group uses AI-generated scripts to deploy Venom RAT via phishing emails. The campaign aims to capture credit card data from guests and travelers. The threat actor has been active since 2015, focusing on hospitality and travel sectors. They have historically used various RATs and custom malware to achieve their goals. The latest campaign involves phishing emails with Portuguese and Spanish lures, leading to the download of malicious scripts and payloads. Venom RAT, based on Quasar RAT, includes features like data exfiltration, reverse proxy, and anti-kill mechanisms. It spreads via USB drives and disables Microsoft Defender Antivirus.

Open in new tab

GhostRedirector Campaign Targets Windows Servers with Rungan Backdoor and Gamshen IIS Module

The GhostRedirector threat cluster, also known as Operation Rewrite and CL-UNK-1037, has compromised at least 65 Windows servers in Brazil, Thailand, and Vietnam, deploying the Rungan backdoor and Gamshen IIS module. The campaign, active since at least March 2025, targets various sectors and uses SEO fraud to manipulate search engine results, particularly to boost the rankings of gambling websites. The threat actor, believed to be China-aligned, employs BadIIS, a malicious native IIS module, to intercept and modify HTTP traffic, serving malicious content to site visitors. The campaign also deploys other tools for remote access, privilege escalation, and information gathering. ESET recommends using dedicated accounts, strong passwords, and multifactor authentication for IIS server administrators, as well as ensuring native IIS modules are installed only from trusted sources and are signed by a trusted provider.

Open in new tab

Chinese State-Sponsored Actors Target Global Critical Infrastructure

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group and a newly identified group named RedNovember, have been conducting sustained campaigns to compromise critical infrastructure networks worldwide. The campaigns aim to gain long-term access to telecommunications, government, transportation, lodging, and military networks. This activity has been detailed in a joint advisory by CISA, NSA, FBI, and international partners, including Canada, Australia, New Zealand, the UK, Czech Republic, Finland, Germany, Italy, Japan, the Netherlands, Poland, and Spain. The advisory provides intelligence on tactics used by these actors and recommends mitigations to strengthen defenses. The Czech Republic's National Cyber and Information Security Agency (NUKIB) has issued a warning instructing critical infrastructure organizations to avoid using Chinese technology or transferring user data to servers located in China. The agency has re-evaluated its risk estimate of significant disruptions caused by China, now assessing it at a 'High' level. The NUKIB has confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The advisory highlights concerns over the transfer of system and user data to China, potentially misused by state, military, or political interests. The Czech government previously accused China of targeting its critical infrastructure through APT 31, an allegation denied by the PRC but condemned by the US, EU, and NATO. The advisory suggests that individuals and organizations consider restricting or prohibiting the use of products and services that transfer data to China. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The threat actors have exploited vulnerabilities in Cisco, Ivanti, and Palo Alto Networks devices to gain initial access and have modified routers to maintain persistent access and pivot into other networks. The advisory also notes that the APT actors may target other devices such as Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, Sonicwall firewalls, etc. RedNovember has targeted perimeter appliances of high-profile organizations globally, including defense and aerospace organizations, space organizations, and law firms. The group has breached at least two U.S. defense contractors, a European engine manufacturer, and a trade-focused intergovernmental cooperation body in Southeast Asia. RedNovember has used the Go-based backdoor Pantegana and Cobalt Strike as part of its intrusions, along with the Spark RAT and LESLIELOADER. The group has also used VPN services like ExpressVPN and Warp VPN to administer and connect to servers used for exploitation and communication.

Open in new tab

MixShell Malware Targets U.S. Supply Chain Manufacturers via Contact Forms

A sophisticated social engineering campaign, codenamed ZipLine, targets U.S. supply chain manufacturers with MixShell malware. Attackers use legitimate contact forms to initiate conversations, eventually delivering malicious ZIP files. The campaign spans multiple sectors and countries, focusing on critical supply chain industries. The MixShell malware operates in-memory, using DNS tunneling and HTTP for command-and-control (C2) communications. It employs advanced evasion techniques and leverages legitimate services to blend into normal network activity. The attackers use abandoned or dormant domains to increase the credibility of their phishing attempts. The campaign poses significant risks, including intellectual property theft, ransomware, financial fraud, and supply chain disruptions. The attackers target a wide range of industries, including industrial manufacturers, hardware, semiconductors, consumer goods, biotech, and pharma companies.

Open in new tab