Vane Viper / Omnatuor malicious adtech ecosystem powering malvertising and ad fraud
Threat Actor Meta
Summary
Hide ▲
Show ▼
Researchers outed Vane Viper / Omnatuor as a malicious adtech ecosystem that has powered malvertising, ad fraud, and traffic brokering for at least a decade. The use of shell companies and opaque ownership structures helps obscure accountability while scaling cyberthreat delivery. The network matters because it channels users toward malware, phishing, and other scam infrastructure at large scale.
Related Happenings
Parked and typosquatting domains now redirect most visitors to scams and malware
Target Trend
First: 16.12.2025 16:14
Last: 16.12.2025 16:14
Sources 1
About this happening:
Large-scale experiments found **parked domains** and **typosquatting domains** now commonly send visitors to **scams**, **scareware**, or **malware**, turning routine mistyped nav...
Parked and typosquatting domains now redirect most visitors to scams and malware
Target TrendAbout this happening: Large-scale experiments found **parked domains** and **typosquatting domains** now commonly send visitors to **scams**, **scareware**, or **malware**, turning routine mistyped nav...
Cloudflare Radar Top Domains list redacts and hides Aisuru domains
Security Tool/Service
First: 06.11.2025 04:04
Last: 06.11.2025 04:04
Sources 1
About this happening:
**Cloudflare** redacted **Aisuru** domains from its **Top Domains** rankings after the botnet started gaming the public list and distorting trust signals. The update reduces the v...
Cloudflare Radar Top Domains list redacts and hides Aisuru domains
Security Tool/ServiceAbout this happening: **Cloudflare** redacted **Aisuru** domains from its **Top Domains** rankings after the botnet started gaming the public list and distorting trust signals. The update reduces the v...
Aisuru botnet record-setting DDoS activity
Malware Activity
First: 10.10.2025 19:10
Last: 10.10.2025 19:10
Sources 1
About this happening:
**Aisuru** is a **TurboMirai-class IoT botnet** behind **record-setting DDoS activity** that has continued to scale through **2025**. Cloudflare said it mitigated **more than 1,30...
Aisuru botnet record-setting DDoS activity
Malware ActivityAbout this happening: **Aisuru** is a **TurboMirai-class IoT botnet** behind **record-setting DDoS activity** that has continued to scale through **2025**. Cloudflare said it mitigated **more than 1,30...
Latest development: 18.11.2025 10:17
Microsoft automatically detected and neutralized a 5.72 Tbps distributed denial-of-service attack against a single endpoint in Australia; the traffic came from the AISURU TurboMirai-class IoT botnet, used over 500,000 source IPs across various regions, and Microsoft said it was the largest DDoS attack ever observed in the cloud.
Strela Stealer distributed through Detour Dog DNS-based delivery chain
Malware Activity
First: 03.10.2025 21:11
Last: 03.10.2025 21:11
Sources 1
About this happening:
**Strela Stealer** is being delivered through a **Detour Dog**-controlled **DNS TXT record** chain that uses compromised websites and staged hosts, expanding the malware's reach a...
Strela Stealer distributed through Detour Dog DNS-based delivery chain
Malware ActivityAbout this happening: **Strela Stealer** is being delivered through a **Detour Dog**-controlled **DNS TXT record** chain that uses compromised websites and staged hosts, expanding the malware's reach a...
DeceptionAds ClickFix social-engineering campaign
Campaign
First: 25.09.2025 20:22
Last: 25.09.2025 20:22
Sources 1
How related:
Late last year, Guardio Labs laid bare a campaign dubbed DeceptionAds that was found to leverage Vane Viper's malicious ad network to facilitate ClickFix-style social engineering campaigns.
About this happening:
The **DeceptionAds** operation used **Vane Viper's malicious ad network** to deliver **ClickFix-style social engineering**, expanding deceptive user reach through malvertising inf...
DeceptionAds ClickFix social-engineering campaign
CampaignHow related: Late last year, Guardio Labs laid bare a campaign dubbed DeceptionAds that was found to leverage Vane Viper's malicious ad network to facilitate ClickFix-style social engineering campaigns.
About this happening: The **DeceptionAds** operation used **Vane Viper's malicious ad network** to deliver **ClickFix-style social engineering**, expanding deceptive user reach through malvertising inf...
Timeline
-
25.09.2025 20:22 2 articles · 8mo ago
Vane Viper exposed as a malicious adtech ecosystem
Technical Analysis UpdateInfoblox, with Guardio and Confiant, identified Vane Viper, also called Omnatuor, as a malicious adtech ecosystem that has powered widespread malvertising, ad fraud, and cyberthreat proliferation for at least a decade. The network uses shell companies and opaque ownership structures, brokers traffic for malware droppers and phishers, abuses push notification permissions and service workers, and relies on compromised WordPress sites and malicious ads to redirect users toward malware, fake shopping sites, adult content, survey scams, fake apps, sketchy software downloads, and the Android malware Triada. The infrastructure is associated with about 1 trillion DNS queries over the past year, about 60,000 domains, and links to Monetag, PropellerAds, AdTech Holding, URL Solutions (aka Pananames), Webzilla, XBT Holdings, and Doppelgänger.
Show sources
- Vane Viper Generates 1 Trillion DNS Queries to Power Global Malware and Ad Fraud Network — thehackernews.com — 25.09.2025 20:22
- Vane Viper Generates 1 Trillion DNS Queries to Power Global Malware and Ad Fraud Network — thehackernews.com — 25.09.2025 20:22