![\"\"](\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/deniability-by-design-dns-driven-insights-into-a-malicious-ad-network-thumbnail.jpg\")
<\/p>\nOne typically imagines the digital underworld\u2014trojans, malware droppers, fake dating sites, investment scams, and more\u2014as operating in the dark corners of the internet. But increasingly, these threats are hiding in plain sight, camouflaged by the glossy veneer of mainstream digital advertising. In some cases, the adtech platforms are abused, but we have uncovered an increasing number of adtech companies that are either complicit or actively engaged in the distribution of malicious content. Cybercriminals aren\u2019t just exploiting adtech platforms, sometimes, they are the adtech platforms.<\/p>\n
<\/p>\n
There\u2019s a recipe for running malicious campaigns through adtech, and it starts with plausible deniability. Add in convoluted corporate structures, stir in opaque ownership, and you\u2019ve got the perfect conditions for a profitable lack of accountability. These ingredients don\u2019t just make abuse possible; they make it sustainable. The more tangled the web of shell companies, the less visibility there is into the operation, and the harder it becomes to assign blame or trace responsibility, which, of course, is by design.<\/p>\n
One such actor, Vane Viper, has appeared in approximately half of our customer networks and has accounted for about 1 trillion DNS queries over the past year, making it one of the most prevalent threat actors we observe. Vane Viper benefits from hundreds of thousands of compromised websites and ads inserted into blogs, gaming, and shopping sites worldwide.<\/p>\n
Corporate filings and WHOIS data trace Vane Viper to AdTech Holding, a Cypriot holding company. Their flagship subsidiary, PropellerAds, acts as an advertising network and traffic broker, sourcing traffic from multiple channels, including compromised websites, and routing clicks through its traffic distribution system (TDS) to malicious pages. Although PropellerAds has been implicated in malvertising campaigns by others in the past, proving that they have crossed the line from abused service to complicit enabler has been challenging.1,2,3,4,5<\/sup> We didn\u2019t come to our conclusions lightly.<\/p>\n For months we debated internally and sought the perspective of other researchers in the security community like Guardio and Confiant, as well as advertising experts like Augustine Fou. Ultimately, we found compelling evidence that not only has PropellerAds turned a \u201cblind eye\u201d to criminal abuse of their platform, but indicators described below suggest\u2014with moderate-to-high confidence\u2014that several ad-fraud campaigns originated from infrastructure attributed to PropellerAds. We have not independently verified that PropellerAds personnel directed these campaigns. When security researchers have previously implicated PropellerAds in malvertising campaigns in the past, Propeller\u2019s standard reply frames findings as \u201clibel\u201d while dismissing responsibility for downstream harm.<\/p>\n Peeling back the layers of ownership and sorting through the shell games AdTech Holding plays, reveal why deniability thrives. Vane Viper\u2019s registrar of choice, URL Solutions\/Pananames, belongs to CloudOne Digital, who acquired XBT Holdings and their subsidiaries Servers.com and Webzilla. PropellerAds owns multiple Webzilla subnets outright and Webzilla itself has a checkered past: its infrastructure was used for the Methbot click-fraud farm, Russia\u2019s Doppelg\u00e4nger disinformation sites, and piracy giant 4shared. Our investigation also uncovered a slew of executives with a history of providing services to fraudsters and financial ties to a Russian oligarch. In the end, the deeper we dug, the clearer it became that plausible deniability isn\u2019t a flaw in the system, but a feature.<\/p>\n This paper provides an in-depth view of Vane Viper, their malicious operations, and their impact as seen via DNS traffic. Combining our research with that of Guardio, GoSecure, and others, we can show that:<\/p>\n Figure 1. A diagram of key company relationships<\/p>\n The name \u201cVane Viper\u201d denotes AdTech Holding, a Cyprus-based holding company of adtech and martech firms. PropellerAds, its most prominent subsidiary, gave us our first clear attribution point to Vane Viper infrastructure. What began as a single attribution soon unraveled into a far more intricate web of malicious adtech, gambling, piracy, pornography, disinformation, and more.<\/p>\n But first, some basics:<\/p>\n Figure 2. A diagram from PropellerAds displaying where they sit in the digital advertising ecosystem (Credit: PropellerAds)<\/p>\n PropellerAds ensures that ads are displayed to the right audience to maximize profit for advertisers. Think of them as a sort of advertising \u201cpost office\u201d on the supply side, where they ensure that packages (advertisements) are delivered on time to the right recipients (publishers\u2019 websites). Additionally, on the demand side, they offer services that act as \u201cadvertising ushers,\u201d ensuring users are seamlessly redirected and routed to the most relevant advertisements upon clicking.<\/p>\n We currently assess that about 60,000 domains are part of Vane Viper\u2019s infrastructure. These domains represent only a fraction of the broader ecosystem. TDSs can route users to a virtually unlimited number of downstream landing pages, most of which remain uncaptured. It is important to note that TDSs can also be used to serve legitimate advertising content to users\u2014in fact, that industry is where the term \u201ctraffic distribution system\u201d originated. Unfortunately, TDSs enable threat actors to deliver malicious content to the desired users, while intentionally diverting automated traffic, including tools used by security researchers, into dead ends. This is done in conjunction with cloaking kits, which are often tightly coupled to TDSs, but are separate. Vane Viper hides behind the plausible deniability of operating as an advertising network, while using their TDS to deliver multiple kinds of threats. Adtech\u2019s fragmented structure and reliance on real-time bidding (RTB) makes plausible deniability inherent.8<\/sup> Confiant\u2019s Zirconium malvertising actor is another good example of how threat actors exploit the fragmentation across adtech\u2019s demand and supply chains.9<\/sup> With so many intermediaries across every step of the adtech supply chain, it\u2019s easy for malicious actors to pose as legitimate players.<\/p>\n The \u201ctangled web\u201d we refer to is the network of intricate relationships between companies owned by AdTech Holding, and those they do business with, such as their webhost and domain registrar. AdTech Holding sits at the top of an investor portfolio that includes PropellerAds and at least four other companies:<\/p>\n Each of these companies play their own role in this adtech ecosystem, from managing push notifications to ostensibly identifying bot traffic. We have seen Notix, Adex, and ProPush domains alongside Vane Viper domains in many campaigns. Each of these companies can, and do, have their own subsidiaries. Monetag, another adtech company (but not a named part of AdTech Holdings), is a subsidiary of PropellerAds, as Figure 3 shows:<\/p>\n Figure 3. A screenshot of promo.monetag[.]com\/page47501153.html, complete with PropellerAds branding and contact information<\/p>\n Propeller\u2019s subsidiaries like Monetag attempt to obscure the link to their parent company. It was sheer luck to stumble across Figure 3; for a while we were operating under the assumption that Monetag was a separate, yet associated, firm. BeMob and RollerAds are good examples of what we mean by \u201cseparate but associated.\u201d PropellerAds holds strategic partnerships with both companies. BeMob has advertised their partnership with PropellerAds since 2017. Guardio recently published research on the use of the BeMob TDS as a sort of proxy (wherein the campaign operator chained BeMob TDS after Vane Viper\u2019s TDS, specifically Monetag) before delivering Lumma Stealer payloads.10<\/sup> RollerAds was founded by a former manager at PropellerAds, and we currently believe it to be operating independently but would not be surprised if it is a subsidiary of PropellerAds.<\/p>\n If you are confused by the commercial relationships already, hang tight\u2014it only gets more convoluted from here.<\/p>\n PropellerAds\u2019 ownership history is complicated. It was founded as an independent company in London in 2011.11<\/sup> One of the original directors of this first iteration of PropellerAds is Mardiros Haladjian. He appears in the Paradise Papers with a Cyprian address and as director of a Maltese company named Eldor Services.12<\/sup> Malta is a known European gambling hub, which doesn\u2019t seem to connect well to malicious adtech companies, until you dig a little deeper into Haladjian. In 2015, he was listed as the Respondent in a World Intellectual Property Organization (WIPO) domain dispute with EvoPlay LLP over Vulkan online casino domains.13<\/sup> Strangely, Haladjian now seems to be the owner of EvoPlay, taking over after a series of ownership transitions between Belizean (likely shell) corporations.14<\/sup> A few years later, in 2018, he was yet again named in another dispute related to Vulkan lookalike domains.15<\/sup> This time, Haladjian was a co-respondent alongside Russian nationals who work at Global Domain Privacy Services Inc., also known as Pananames\/URL Solutions (we\u2019ll come back to them later). We know Haladjian is involved with online gambling in collaboration with Russian nationals, and he seems to favor the use of shell corporations in offshore tax havens (in the WIPO disputes, he is named as \u201cMardiros Haladjian, GGS Ltd. of Anguilla\u201d); he also isn\u2019t averse to serial cybersquatting. The decision in the 2018 WIPO suit found that the Vulkan lookalikes were registered in bad faith; the 2015 suit did not. Regardless of the potential violations of trademark law, these could very easily run afoul of gambling laws, especially in Russia, where gambling is almost entirely illegal.<\/p>\n But, like an old saloon owner, why stop at just gambling when there are more quick bucks to be made? Haladjian is also a director of Hammy Media Ltd., which is a Cyprus-based company that operates the major adult website xHamster.16<\/sup> Hammy\/xHamster have been in some hot water recently, with the state of Texas filing a lawsuit against them in 2024 for failure to properly enforce age verification.17<\/sup> Additionally, Hammy was hit with a piracy lawsuit back in 2011, which they were able to get dismissed.18<\/sup> Take note of the lawyer who represented Hammy in that case (and who represented Haladjian in his WIPO disputes): Valentin David Gurvits, of Boston Law Group PC. He\u2019ll come up again later, as he appears to be the go-to lawyer for PropellerAds\/AdTech Holding. Additionally, a Welt am Sonntag investigation in 2016 referenced that investigators have linked Haladjian to a German piracy ring; we were unable to verify that further.19<\/sup><\/p>\n Whoever was bankrolling PropellerAds soon realized it probably wasn\u2019t a good look to have a person with such a high-risk profile as Haladjian running the show, so they disbanded PropellerAds UK in July of 2014. They did, however, like shell games and tax havens, so PropellerAds popped up a few months later in the Isle of Man.20<\/sup> Not much is known about this \u201cbranch\u201d of PropellerAds because the Isle of Man masks corporate details and because a trust company handled the incorporation. The PropellerAds that we know best, PropellerAds Ltd. based in Cyprus, came about in March 2016 and now operates under AdTech Holding. The leadership at AdTech Holding and PropellerAds includes the following:<\/p>\n Figure 4. An overview of the timeline and evolution of Embria\/PropellerAds\/AdTech Holding<\/p>\n AdTech Holding maintains suspicious ties to a web of related firms. Their preferred registrar is URL Solutions, also known as Pananames. These are the same folks named as a co-respondent with the original director of PropellerAds (Mardiros Haladjian), in one of the Vulkan cybersquatting domain disputes. As of April 1, 2025, URL Solutions ranked third-riskiest registrar via our reputation scoring algorithm (see Figure 4).21<\/sup> URL Solutions moved up from eighth-riskiest registrar in February 2025 to third in March 2025 (cue Curtis Mayfield\u2019s \u201cMove On Up\u201d\u2014the extended version, please).<\/p>\n Figure 5. The ten riskiest registrars in March 2025 via our reputation algorithm<\/p>\n In their 2024 \u201cPhishing Landscape\u201d report, Interisle Consulting Group clocked URL Solutions as the third-highest registrar associated with bulk domain registration.22<\/sup> Bulk domain registrations are often suspicious in nature. A high volume of domains registered in a brief period can indicate an intention to quickly use and dispose of them, which is behavior we commonly see in cybercrime. Per Interisle, the number of bulk registration sets and the number of domains in each set, are undercounted because their research was constrained to domains that had been specifically reported for phishing. Using their definition of bulk registration (at least ten domains through the same registrar with less than ten minutes between consecutive domain registrations), we specifically looked at URL Solutions\u2019 bulk registration events since January 1, 2023. Vane Viper accounts for nearly half of all bulk registration events made through URL Solutions<\/strong> since January 2023.<\/p>\n Figure 6. Monthly proportion of Vane Viper in URL Solutions bulk registration events<\/p>\n URL Solutions purports to be founded and operating in Panama. However, it is noteworthy that their privacy policy lists an address in Cyprus, just a seven-minute drive from PropellerAds\u2019 office.<\/p>\n URL Solutions is owned by CloudOne Digital<\/strong>, which also owns Webzilla, Servers.com<\/strong>, and virtual private server (VPS) provider Fozzy<\/strong>. The CEO of both Fozzy and URL Solutions is Dmitry Filatov<\/strong>, whose LinkedIn lists him as \u201cHead of B2C\u201d at XBT Holdings<\/strong> until April 2023.23,24<\/sup> CloudOne\u2019s ASN, 35415, which is operated by Webzilla B.V.<\/strong>, reports that multiple \/24s are assigned to both PropellerAds and Fozzy, which further tightens the infrastructure overlap.25<\/sup><\/p>\n Figure 7. A diagram of relationships between notable people and companies in the Vane Viper ecosystem<\/p>\n This infrastructure overlap isn\u2019t merely a technical convenience. At minimum, it provides ideal conditions for actors who benefit from ambiguity, such as malicious adtech, to operate without clear accountability. XBT Holdings, the former parent of Webzilla and the organization that acquired the domain name Servers.com in 2013, was founded by Aleksej\/Aleksey\/Alexey Gubarev.26,27<\/sup><\/p>\n Gubarev (shown in Figure 7, and later in Figure 8) has been a staple on the Cyprus tech scene since 2002. Gubarev co-founded a health tech company named Palta in 2016. In 2019, according to a representative for Gubarev, Alex Frolov, the son of U.K.-sanctioned oligarch Aleksandr Frolov,28,29<\/sup> joined Palta as another co-founder. Corporate filings and press releases name Gubarev and Alex Frolov as Palta co-founders. Target Global, the venture capital firm Frolov Jr. also founded, confirmed that Frolov Sr. and another sanctioned oligarch, Alexander Abramov, were early limited partners.30,31<\/sup> Gubarev is on the board of directors and co-founded TechIsland, a tech incubator dedicated to accelerating Cyprus\u2019 tech industry.32<\/sup> TechIsland lists AdTech Holding (and Adsterra, another adtech company with ties to malvertising and malware propagation) as a member. AdTech Holding is owned by Embria, a holding company that has historically used Servers.com infrastructure (185.106.140.1\/24) for the hosting of their websites embria[.]com and embria[.]one. AdTech Holding\u2019s own blog from April 2024 credits \u201cthe vision of Alexey Gubarev\u201d in helping to launch the Limassol skate park, a project AdTech Holdings also took part in.33<\/sup> Some media outlets have alleged that Gubarev played a role in facilitating the presence of Russian information technology businessmen reportedly linked to sanctions evasion, claiming that Cyprus has become a base for extending Moscow\u2019s influence in the European Union.34,35<\/sup> At some point, these aren\u2019t innocent business coincidences, or simply a measure of the goodwill emanating from TechIsland. Gubarev\u2019s ties to sanctioned oligarchs, coupled with his incubator\u2019s embrace of adtech companies linked to malware and fraud, demonstrate a blurring of ethical lines for commercial gain.<\/p>\n XBT Holdings is privately held, so ownership stakes are unavailable. What is apparent, however, is that this is another shell game. Since 2012, Cyprian corporate filings show that \u201cXBT\u2019s shareholders have included one entity that appears to have no internet presence at all, and four that are registered in Singapore or Cyprus.\u201d36<\/sup> Of those four, one lists Gubarev as its owner; the others provide little to no ownership information. The use of anonymous or offshore entities as shareholders is commonly considered a signal of an intention to evade accountability.37,38,39,40,41,42,43<\/sup><\/p>\n PropellerAds utilizes XBT infrastructure, which has been cited as being used in major disinformation and fraud cases. The Russian propaganda network Doppelg\u00e4nger used Webzilla as a hosting provider and URL Solutions as a domain registrar.44,45<\/sup> Court filings in the Methbot ad fraud trial confirmed that a \u201csizable number\u201d of Methbot servers resided on XBT networks.46<\/sup> Methbot used a large botnet to artificially inflate the views of video ads, garnering millions of advertising dollars. Servers.com CTO, and Webzilla CTO from 2005 to 2014, Kostyantyn\/Konstantin Bezruchenko testified that there were personal ties between the Methbot leader Aleksandr Zhukov and XBT founder Aleksej Gubarev.47<\/sup><\/p>\n Gubarev first entered the geopolitical spotlight in 2017 when BuzzFeed posted the full, unverified Steele dossier. The dossier asserted that XBT\/Webzilla servers helped to transmit malware and steal data from the Democratic National Committee via \u201cbotnets and porn traffic.\u201d48<\/sup> Gubarev sued BuzzFeed for defamation, and the case was dismissed; BuzzFeed later removed Gubarev\u2019s name and apologized, so Gubarev\u2019s appeal was withdrawn in 2021. During the proceedings, former FBI Cyber Chief Anthony Ferrante submitted a report that linked Webzilla address space to spear-phishing infrastructure. Ferrante\u2019s report, \u201cExhibit 1,\u201d reviews Bezruchenko\u2019s deposition and details a striking lack of visibility into Webzilla\u2019s network. Ferrante argued that \u201c[XBT does] not actively prevent the use of their infrastructure to support malicious cyber activity.\u201d49<\/sup> Ferrante also cited Bezruchenko\u2019s deposition when he opined that Webzilla had inadequate takedown procedures. Hypothetically, webhosts without robust abuse processes often become attractive to persistent malvertising actors. A rebuttal expert report filed by Dr. Eric B. Cole on XBT\u2019s behalf challenges Ferrante\u2019s findings, calling the analysis \u201cmisleading\u201d and noting the investigation \u201chas no information based on collection and analysis from XBT Holding systems.\u201d50<\/sup> Cole argues that traffic like the packets Ferrant flags \u201cpasses across IPs in every AS across the world\u201d and that the record contains \u201cno forensic evidence\u201d tying XBT or Webzilla to deliberate wrongdoing; no court has found XBT or its affiliates liable.<\/p>\n Kostyantyn\/Konstantin Bezruchenko owns the U.S. corporate shell of Webzilla (Figure 7, above). WHOIS filings also attach his name to the registration of xbt[.]com, and he\u2019s listed as the contact person for URL Solutions.51,52<\/sup> He incorporated Webzilla Inc. using Incorporate Now, a mailbox service run by long-time associate Constantin Luchian.53<\/sup> Reporting by McClatchy found \u201cthat Nikita V. Kuzmin, the creator of the Gozi virus, which stole online banking data, incorporated at least three companies in South Florida, with the administrative assistance of Webzilla officer Constantin Luchian.\u201d54<\/sup> Additional reporting brought to light the fact that the International Intellectual Property Association entered a formal complaint that Webzilla \u201cserviced and administered\u201d a Cyprus company called 4shared[.]com. At the time, the complaint said that 4shared was the most-cited piracy website in the world. Webzilla denied liability but kept the customer.55<\/sup><\/p>\n Webzilla\u2019s decision to maintain business with an alleged piracy website, even after being implicated in a formal complaint, highlights how willing the company is to embrace high-risk clients. In addition to using Webzilla for hosting, 4shared[.]com uses URL Solutions as its registrar.56<\/sup> Luchian and another Bezruchenko associate, Konstantin Bolotin, appear in multiple lawsuits. At one point, they were sued in federal court by Hydentra HLP over an adult-traffic affiliate scheme that used Webzilla infrastructure.57<\/sup><\/p>\n One of the suit\u2019s domains (sunsocialmedia[.]com), still resolves today to Webzilla\u2019s AS 40824 block at 199[.]101[.]134[.]0\/24.58<\/sup> Further, the domain\u2019s A record has a pointer (PTR) record of servicedomain[.]net. The WHOIS registrant email of that PTR record domain is info@lightsoft[.]co; the owner of Lightsoft is Konstantin Bolotin.59<\/sup> Earlier German court filings on Freakshare (alleged to be a member of a global criminal enterprise run by two German citizens) list Luchian as the Digital Millennium Copyright Act agent via Scottish shell Vollend Plus LP, itself owned by two Seychelles entities.60<\/sup> The involvement of the same small set of actors (Luchian, Bolotin, and Bezruchenko) in lawsuits that span adult content, piracy, and malware paints a picture of a close-knit, well-orchestrated team employing deliberate strategies.<\/p>\n Let\u2019s return to Valentin Gurvits, the lawyer who represented Mardiros Haladjian (Figure 7), one of the initial directors of PropellerAds, in his various legal escapades. He is also counsel for Aleksei Gubarev\/XBT. Gurvits commented to media outlets on the Methbot case and essentially played the plausible deniability card, admitting that bad actors had \u201cmisused\u201d Webzilla infrastructure, and that Webzilla was not at fault for such misuse.61<\/sup> Then, he led the 2017 defamation case against BuzzFeed over the Steele dossier. He has defended Constantin Luchian and Konstantin Bolotin in the Hydentra lawsuit and helped Luchian file the U.S. copyright paperwork for Vollend Plus. In nearly every civil case touching PropellerAds, XBT\/Webzilla, or their various offshore fronts, Gurvits has acted as counsel to a web of malvertising, gambling, piracy, ad fraud, and adult content operations.<\/p>\n Let\u2019s recap: PropellerAds\u2019 lineage is one of shell-games: \u201cfounded\u201d in London, moved to the Isle of Man, then reborn in Cyprus under AdTech Holding. Its original director, Mardiros Haladjian, shows up in the Paradise Papers, WIPO cybersquatting disputes, and in lawsuits against his adult content company Hammy Media. PropellerAds\u2019 Cyprus office lies seven minutes from URL Solutions\u2019 contact address and Vane Viper domains make up nearly 50 percent of bulk-registered domains via URL Solutions since 2023. R\u00e9seaux IP Europ\u00e9ens (RIPE) maps multiple \/24 blocks owned by PropellerAds on Webzilla\/XBT address space. AdTech Holding is ensconced in Alexei Gubarev\u2019s TechIsland incubator and AdTech Holding\u2019s founders at Embria use Servers.com for hosting infrastructure. XBT\u2019s networks have hosted the Methbot ad fraud botnet, the Kremlin\u2019s Doppelg\u00e4nger disinformation campaign, and piracy giants like 4shared. Valentin Gurvits, the go-to lawyer for Haladjian, Gubarev, Bezruchenko, Luchian, and Bolotin, represents them in court. None of these links proves coordinated wrongdoing. However, in aggregate, they paint a picture of opaque shareholding, offshore companies in tax havens, and networks repeatedly flagged for malvertising, disinformation, click-fraud, privacy, and ad traffic abuse. When those sketchy business practices intersect with the documented threats below, any claim of plausible deniability loses credibility.<\/p>\n Figure 8. A brief recap of key players in the Vane Viper ecosystem and their role<\/p>\n With \u201cplausible deniability\u201d hanging by a thread, let\u2019s now turn to the real-world tricks Vane Viper uses and the threats they deliver.<\/p>\n Under the Hood<\/strong><\/p>\n Pushy salespeople are everyone\u2019s \u201cfavorite,\u201d right? Whether on the street, in a supermarket, or door to door, they just won\u2019t take no for an answer. In-browser push notifications are similar. And there are legitimate use cases for them. They offer users an easy way to stay up to date with Facebook or Reddit posts, or with breaking news. But they also offer threat actors an opportunity to achieve persistence on an endpoint and in a network.<\/p>\n How do these notifications work under the hood? They rely on service workers: JavaScript files that act as a proxy service, intercepting network requests between the web app and the network. Vane Viper uses service workers and script chaining to abuse push notifications. In 2024, GoSecure published an in-depth analysis of a set of malicious service worker files but did not identify the operator at the time.62<\/sup> Correlating the domains in that report with our own data shows that these service workers belong to Vane Viper. A service worker\u2019s use of \u201ceval()\u201d to execute any content fetched from a remote URL is most alarming, as it lets any code retrieved from that URL run in the page\u2019s context. The remote URL queried is given by one of the hardcoded domains within the service worker.<\/p>\n These push notifications, as mentioned, grant persistence on an endpoint if they\u2019re accepted by the user. Once accepted, the user\u2019s device turns into a merry-go-round of malvertising, enabling a constant stream of threats. In analyzing the lifespan of Vane Viper domains, most domains were active for less than a month; however, a certain set of domains have been active for 1,200 days or more. These include good old omnatuor[.]com, (which we published about in August 2022), propeller-tracking[.]com, and many domains that appear to be centered around push notification services: in-page-push[.]com, pushimg[.]com, inpagepush[.]com, propu[.]sh, and others.63<\/sup> However, to keep the operation going, Vane Viper needs to register vast numbers of new domains each month. Figure 9 shows the increasing monthly registration count of domains since January 2023, up to the maximum monthly count of 3,500 domains in October of 2024.<\/p>\n Figure 9. The number of Vane Viper domains registered per month since January 2023<\/p>\n By cycling through thousands of domains each month and keeping key push notification domains alive for years, Vane Viper demonstrates a strong resilience to takedowns and an increasing scale of operations.<\/p>\n Vane Viper uses their TDS to deliver threats in a variety of ways: from push notifications sent to an endpoint, to compromised or lookalike sites that victims can stumble across while web browsing. For example, in our research, we came across a malware trojan that was dropped onto a Pixel phone from a Vane Viper domain in the form of a malicious APK file (Figure 10).<\/p>\n Figure 10. The VirusTotal entry for a malicious APK dropped onto a burner phone from a Vane Viper domain during our research (Credit: VirusTotal)<\/p>\n The trojan was Triada, and it was dropped from the domain visionedmisfocusedpanfry[.]com.64<\/sup> But when we tried to visit the domain in URLScan, it showed up as a wrapper for a Google search, as shown in Figure 11. That\u2019s part of the power of a TDS: if you don’t match the \u201cdesired victim\u201d profile, it can be hard to tell anything is amiss about the domain.<\/p>\n Figure 11. A search bar, which queries Google, on visionedmisfocusedpanfry[.]com (Credit: URLScan65<\/sup>)<\/p>\n We\u2019ve also seen Vane Viper distribute malicious browser extensions, fake shopping sites, adult content, survey scams, fake apps, and sketchy software downloads. One operation, which ends in a likely fake software download (we were unable to obtain a sample but are confident in our assessment due to analysis of the various domains along the redirection chain, explained further below), starts with a bit[.]ly link, forces a push subscription gate, then drops users onto a supposed Opera Browser download page. We suspect that Vane Viper themselves, and not an affiliate, ran this campaign for the purposes of ad fraud. Figure 12 provides a domain tree (read bottom-up) illustrating one variation of the traffic flow from this campaign.<\/p>\n Figure 12. The domain tree for this campaign, read bottom-up (Credit: URLScan66<\/sup>)<\/p>\n Apart from the initial bit[.]ly link, we assess that Vane Viper registered and controls each domain in the tree. All observed traffic flows between these domains and there are no third-party publisher or affiliate domains involved. Moreover, the domain landingpane[.]com (used as a sort of static-content CDN) is hosted on the IP address 188[.]42[.]160[.]55. Webzilla is the sponsoring upstream holder for that network space, but the entire IPv4 \/24 block 188[.]42[.]160[.]0\u2013188[.]42[.]160[.]255 has been assigned to PropellerAds. An overview of selected fields from the most recent WHOIS lookup is provided in Table 2 below.<\/p>\n\n
![\"Figure](\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/deniability-by-design-dns-driven-insights-into-a-malicious-ad-network-figure-1.jpg\")
<\/p>\nThe Tangled Web<\/h3>\n
\n
![\"Figure](\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/deniability-by-design-dns-driven-insights-into-a-malicious-ad-network-figure-2.jpg\")
<\/p>\nCorporate Structure and History<\/h3>\n
\n
![\"Figure](\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/deniability-by-design-dns-driven-insights-into-a-malicious-ad-network-figure-3.jpg\")
<\/p>\n\n
![\"Figure](\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/deniability-by-design-dns-driven-insights-into-a-malicious-ad-network-figure-4.jpg\")
<\/p>\nURL Solutions<\/h3>\n
![\"Figure](\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/deniability-by-design-dns-driven-insights-into-a-malicious-ad-network-figure-5.jpg\")
<\/p>\n![\"Figure](\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/deniability-by-design-dns-driven-insights-into-a-malicious-ad-network-figure-6.jpg\")
<\/p>\n![\"Figure](\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/deniability-by-design-dns-driven-insights-into-a-malicious-ad-network-figure-7.jpg\")
<\/p>\nXBT Holdings<\/h3>\n
Webzilla<\/h3>\n
Lawfare<\/h3>\n
Corporate Connections<\/h3>\n
![\"Figure](\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/deniability-by-design-dns-driven-insights-into-a-malicious-ad-network-figure-8.jpg\")
<\/p>\nPush Comes to Shove<\/h3>\n
![\"Figure](\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/deniability-by-design-dns-driven-insights-into-a-malicious-ad-network-figure-9.jpg\")
<\/p>\nThe Funnel<\/h3>\n
![\"Figure](\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/deniability-by-design-dns-driven-insights-into-a-malicious-ad-network-figure-10.jpg\")
<\/p>\n![\"Figure](\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/deniability-by-design-dns-driven-insights-into-a-malicious-ad-network-figure-11.png\")
<\/p>\n![\"Figure](\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/deniability-by-design-dns-driven-insights-into-a-malicious-ad-network-figure-12.jpg\")
<\/p>\n
![\"Figure](\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/deniability-by-design-dns-driven-insights-into-a-malicious-ad-network-figure-13.png\")
<\/p>\n![\"Figure](\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/deniability-by-design-dns-driven-insights-into-a-malicious-ad-network-figure-14.png\")
<\/p>\n