Infoblox Threat Intel

Vacant Viper

Vacant Viper uses the “Sitting Ducks” DNS attack vector to hijack about 2,500 domains a year with lame name server delegation. The actor leverages the reputations of established domains to pass through security filters as benign entities. Vacant Viper appears to use free DNS hosting services, holding each hijacked domain for approximately 30 days at a time. This enables multiple actors to reuse valuable domain assets.

Hijacked domains are used for multiple purposes, most notably for routing in the 404TDS. This malicious TDS is known to deliver malware, including AsyncRAT and DarkGate, as well as scams.

Vacant Viper

Operating since: At least 2019
Infoblox discovered: Feb 2024
Infoblox published: July 2025
Prevalence: Uncommon

Threat actor resources

Blog

Infoblox Threat Intel
November 14, 2024

DNS Predators Hijack Domains to Supply their Attack Infrastructure

Learn how DNS threat actors hijack domains and use them in their malicious campaigns.

Research Report

Infoblox Threat Intel
November 14, 2024

DNS Predators Attack: Vipers and Hawks Hijack Sitting Ducks Domains

Get insights from the Infoblox Threat Intel team in this Research Report covering key tactics, emerging threats, and practical steps to protect your DNS, brand, and users.

Infoblox Threat Intel

Vacant Viper

Threat actor resources

Blog

DNS Predators Hijack Domains to Supply their Attack Infrastructure

Research Report

DNS Predators Attack: Vipers and Hawks Hijack Sitting Ducks Domains

Products

Solutions

Company

Resources

Get Infoblox Email Updates