CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Vane Viper Threat Group Leverages PropellerAds for Malicious Campaigns

First reported
Last updated
πŸ“° 1 unique sources, 1 articles

Summary

Hide β–²

The 'Vane Viper' cybercrime operation, active for over a decade, uses hundreds of thousands of compromised websites and malicious ads to redirect users to exploit kits, malware droppers, botnets, scams, and ransomware. Vane Viper is supported by the commercial digital advertising platform PropellerAds and its parent company AdTech Holding. The operation is highly prevalent, appearing in about half of Infoblox's customer networks and accounting for approximately 1 trillion DNS queries. Vane Viper uses a traffic distribution system (TDS) to create complex redirection chains, making it difficult for security researchers to analyze. The operation features CDN-grade infrastructure, posing risks to both consumers and enterprise users. The investigation revealed that Vane Viper is not just hiding behind PropellerAds but is deeply integrated with its infrastructure and operations.

Timeline

  1. 16.09.2025 22:36 πŸ“° 1 articles Β· ⏱ 22h ago

    Vane Viper Cybercrime Operation Linked to PropellerAds and AdTech Holding

    The 'Vane Viper' cybercrime operation, active for over a decade, has been linked to the commercial digital advertising platform PropellerAds and its parent company AdTech Holding. The operation uses hundreds of thousands of compromised websites and malicious ads to redirect users to exploit kits, malware droppers, botnets, scams, and ransomware. The investigation revealed that Vane Viper is not just hiding behind PropellerAds but is deeply integrated with its infrastructure and operations. The operation is highly prevalent, appearing in about half of Infoblox's customer networks and accounting for approximately 1 trillion DNS queries.

    Show sources
    Open in new tab

Information Snippets

  • Vane Viper has been active for over a decade and uses hundreds of thousands of compromised websites and malicious ads to redirect users to malicious destinations.

    First reported: 16.09.2025 22:36
    πŸ“° 1 source, 1 article
    Show sources

  • Vane Viper is supported by PropellerAds and its parent company AdTech Holding, which provide the infrastructure for the operation.

    First reported: 16.09.2025 22:36
    πŸ“° 1 source, 1 article
    Show sources

  • The operation is highly prevalent, appearing in about half of Infoblox's customer networks and accounting for approximately 1 trillion DNS queries.

    First reported: 16.09.2025 22:36
    πŸ“° 1 source, 1 article
    Show sources

  • Vane Viper uses a traffic distribution system (TDS) to create complex redirection chains, making it difficult for security researchers to analyze.

    First reported: 16.09.2025 22:36
    πŸ“° 1 source, 1 article
    Show sources

  • The operation features CDN-grade infrastructure, posing risks to both consumers and enterprise users.

    First reported: 16.09.2025 22:36
    πŸ“° 1 source, 1 article
    Show sources

  • Infoblox's investigation revealed that Vane Viper is deeply integrated with PropellerAds and AdTech Holding, using their infrastructure and operations.

    First reported: 16.09.2025 22:36
    πŸ“° 1 source, 1 article
    Show sources

  • PropellerAds has a history of being used for malicious activity, including extensive malvertising campaigns, and has been accused of being slow to respond to abuse reports.

    First reported: 16.09.2025 22:36
    πŸ“° 1 source, 1 article
    Show sources

  • The investigation uncovered connections between PropellerAds, AdTech Holding, and other entities involved in malicious activity, including Russian tech entrepreneurs and convicted fraudsters.

    First reported: 16.09.2025 22:36
    πŸ“° 1 source, 1 article
    Show sources

  • The digital ad ecosystem's design, which prioritizes scalability and revenue generation, has become a liability, making it easy for threat actors to weaponize the ecosystem.

    First reported: 16.09.2025 22:36
    πŸ“° 1 source, 1 article
    Show sources