CyberWire Daily - When clicks turn criminal. [Research Saturday]
Episode Date: November 15, 2025Dr. Renée Burton, Vice President of Threat Intelligence from Infoblox, is sharing the team's work on "Deniability by Design: DNS-Driven Insights into a Malicious Ad Network." Infoblox returns with ne...w threat actor research uncovering Vane Viper, a Cyprus-based holding company behind PropellerAds—one of the world’s largest advertising networks. The report reveals that Vane Viper isn’t just being exploited by criminals but operates as a criminal infrastructure itself, built to profit from fraud, malware, and disinformation through offshore entities and complex ownership structures. The findings highlight the growing convergence between adtech, cybercrime, and state-linked influence operations, suggesting that elements of the global digital advertising ecosystem are now functioning as infrastructure for large-scale cyber and disinformation campaigns. The research can be found here: Deniability by Design: DNS-Driven Insights intoa Malicious Ad Network Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Step into the digital Upside Down with Cyber Things,
Armist's new three-part podcast series,
which will dive into the unseen world of cybersecurity.
From real-life hacks to the digital shadows of the dark web,
we connect pop culture and protection, fear and control.
Episode one drops soon, so look out for Cyber Things in partnership with Cyberwire.
Ever wished you could rebuild your network from scratch to make it more secure, scalable, and simple?
Meet Meter, the company reimagining enterprise networking from the ground up.
Meter builds full-stack zero-trust networks, including hardware, firmware, and software,
all designed to work seamlessly together.
The result?
fast, reliable, and secure connectivity without the constant patching, vendor juggling, or hidden costs.
From wired and wireless to routing, switching, firewalls, DNS security, and VPN,
every layer is integrated and continuously protected in one unified platform.
And since it's delivered as one predictable monthly service,
you skip the heavy capital costs and endless upgrade cycles.
Meter even buys back your old infrastructure to make switching,
effortless. Transform complexity into simplicity and give your team time to focus on what really
matters, helping your business and customers thrive. Learn more and book your demo at meter.com
slash cyberwire. That's M-E-T-E-R dot com slash cyberwire.
Hello everyone and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking
down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves
in a rapidly evolving cyberspace.
Thanks for joining us.
So what we have found, particularly
over the last year is essentially a lot of threats that we previously believed were associated
with those actors hiding in the dark, working in those dark web forums, groups of hacker gangs.
They in fact are being backed by registered businesses in various parts of the world.
They advertise openly on the internet, and they provide a variety of advertising-related services.
That's Dr. Renee Burton, Vice President of Threat Intelligence at InfoBlocks.
The research we're discussing today is titled Deniability by Design, DNS-driven insights into a malicious ad network.
Well, let's dig in and talk about Vain Viper itself.
How did you first come across this threat actor?
So we first found a Vain Viper back in like 2022.
And we found it similarly both through accidental things, but also through DNS.
And at the time, they were heavily seen in compromised websites.
I personally had the experience where I was just doing some browsing.
And suddenly there was this little pop-up that said Omnator wants to show you,
notifications. Who's omnitor? I'm definitely not visiting that website. So I said no, which
was good, because that turned out to be a lead into us discovering, again, through DNS by putting
together, DNS here being the domain names, IP addresses. We put those together and realized this
is actually an entire actor, meaning a, you know, a person or a group that we would be able to
track and that they were heavily involved in both scams and in malware. And then it took us years,
it took us about two years to realize that in fact they were registered companies. Wow. Well,
before we dig into some more of the details, you mentioned DNS and your research points out that you
and your team saw about a trillion with a T DNS queries linked to Vain Viper in just about a year.
Can you put that in perspective for us, what this means in terms of scale?
Yeah, that trillion was within our customer environments as well.
So if you think about it, you know, globally, it's actually going to be much larger.
These are extraordinarily popular domains, meaning that there's a lot of traffic associated with them.
They're going to be not as popular as Google, right?
not as popular as Facebook, but they're still going to be up there more popular than very common
VPN, security services, sharing systems, things like that.
So tons and tons and tons of domain name traffic.
And to what that says to us is there is a lot of ways in which that actor is approaching
both consumers and enterprises.
And what exactly are they up to here?
here. What's the approach and what are they hoping to get out of this? They're certainly financially
motivated as a company. They're making money off of the people who sign up with them as, quote,
publishers, meaning that they put the links on things and advertisers, which are the ones that show
things. They are distributing both scams and malware. So they're affiliating or having
advertisers who are the ones actually giving these scams in malware's. However, we also had
very specific instances, again, one coming from my own phone, where malware was dropped directly
onto my device from an IP address that is theirs, that is in their network.
Is there a legitimate side to their business? Or you all talk about plausible deniability in the
report here is it all malware and uh scams it's mostly i think that that's just a side effect too
of when you're in the this type of the the advertising business you're right you don't have
the cachet of being google or being tabula any one of these really big well-known advertising networks
and you are they are out of cyprus but they're Russian oriented so they get a different kind of traffic
they're going to be seen on variety of like gambling sites or on cracking sites or on free video
download sites you'll see that their ads would be there that's one of the many ways that would happen
and so you could you know you might argue well this illegal gambling site is is legitimate in
some, you know, in some fashion and they're using them as a customer.
I think also that we find with these ad tech businesses that they are trying to get people who want to make money.
If you think about, you know, the world and the economy all over the world, it's quite varied.
And there's a lot of hope around the world.
So there's a lot of people in Indonesia, India, a variety of other companies.
countries that face a lot of economic challenges. And what they see is basically marketing,
that affiliate marketing is a way that they can make money. And a lot of them will join in,
you know, to do that kind of thing. So they might end up being led down a path where they're
delivering scams, but in fact themselves are really just trying to find a way to make a,
make bread, you know, put food on the table type of thing.
Yeah.
The research describes Veen Viper as being tied to ad tech holding and its subsidiaries,
companies like propeller ads.
Can you unpack that corporate structure for us?
There's shell companies.
There's offshore registrations.
There's a lot to unwind here.
Ad tech holdings is one of, you know, many different actors that we're looking at,
More recently, we also released on an actor known Vexrio whose structures are even more convoluted.
In the case of ad tech holdings, everything that we're looking at really is in that advertising and marketing technology space.
But there are a bunch of companies that they essentially advertise to be independent of each other, but are still under that holding.
So Propeller Ads is probably their big flagship one.
But Propeller Ads itself has other entities like Money Tagged below that.
There's a group called Zedo, which is independent in some ways,
but it's still part of ad tech holding.
So there's a lot of ownership aspects over the last more than a decade
that really tie different companies together,
including their hosting providers.
Lots of personalities who are involved in the, particularly the Cyprus regional tech market.
Well, can we dig into some of the tools that they're actually using here?
There's a lot of things going on for them to be able to do it with what they do.
Can you walk us through some of that?
So when we look at what sort of tools or tactics devices that they are using,
they heavily use push notifications.
This is widely used across malicious ad tech.
And it's actually quite brilliant.
It provides a mechanism for persistence on a device
in that somehow or another you convince someone to allow notifications.
And now, instead of getting that one opportunity to scam them,
you get an infinite number of opportunities.
And even more than that, I recently had one where we were recording.
We found, it's a different company, but it's similar,
the information that they provide allows me to see what they're tracking about me.
And I could see that they're charging the advertiser about five cents
to get a push notification onto my phone.
And then I can also see that they've already computed.
my conversion rate or the likelihood of me to actually look at that ad to be almost zero is just
slightly above zero and yet they're pushing 100 notifications a day so if you think about that
from the ad tech or ad tech holdings or propeller's side they're being able to push
you know 100 notices a day onto a single device charging five cents or one
whatever it is for that device, they're getting that money no matter what, even if the user
doesn't kind of click on it. So they can just roll in, you know, roll in cash through these
notifications because they're charging the advertisers to be able to show the notification,
which is quite brilliant. That's one of the ways in which they're, one of the ways in which
they're handling victims. And they get it on both sides, right? They get the victim, but they also
get the advertiser who is paying them in order to show these to show these advertisements
is really interesting. The other thing that they do is they're providing a traffic
distribution system or TDS is the term we would use. The concept there is that I'm giving
you the offer or the ad that you're most likely to buy, which here is going to be the scam
or the malware. So depending on your device type, where you are in the region,
what kind of notification you already clicked.
This would happen even if it was just a pop-up ad.
So say, for instance, maybe you're on a gaming site or a movie streaming site,
sort of I know that so I can make tailored things to you as well as your IP address or your device type.
And then I will funnel you through this TDS in order to deliver the offer that, one,
you're more likely to buy, but two, I'm going to make money off of it as the advertising network.
We'll be right back.
At TALIS, they know cybersecurity can be tough and you can't protect everything,
but with TALIS you can secure what matters most.
With TALIS's industry-leading platforms, you can protect critical applications, data and identities,
anywhere and at scale with the highest ROI.
That's why the most trusted,
brands and largest banks, retailers, and healthcare companies in the world rely on TALIS to protect
what matters most. Applications, data, and identity. That's TALIS. Learn more at TALIS group.com
slash cyber.
And now a word from our sponsor, ThreatL-L-L-E-S-E-S-E-R. And now, a word from our sponsor, ThreatL
Locker, the powerful zero-trust enterprise solution that stops ransomware in its tracks.
Allow listing is a deny-by-default software that makes application control simple and fast.
Ring fencing is an application containment strategy, ensuring apps can only access the files,
registry keys, network resources, and other applications they truly need to function.
Shut out cybercriminals with world-class endpoint protection from Threat Locker.
Now, you all found some of these campaigns that look to the user like normal software downloads or even search pages.
How would a victim typically stumble into one of these traps?
So they can just be regularly browsing the web.
That is absolutely one way that can happen, especially with pages.
that are smaller or less common, and they've taken on advertising as a way to make some money
off of that page. It can come through parking systems we've found. It can come through
compromised websites. It could come through spam. So a variety of ways will take the victim
into that funnel, essentially. And then in those two cases that you're mentioning from the
paper in one case we had a phone and that phone kind of met the criteria for for the malware
download and it essentially said you know you need to download this file and when we did
clicked it and downloaded it that turned out to be an information stealer as I recall but if you
weren't the right person like your device was too old or too new or whichever whichever
way in which you didn't match, or they thought you were, say, a security company, then instead
you got a Google search page.
So you had just suddenly clicked up and showed a Google search page.
And that's the decoy part of it.
Right.
Interesting.
Now, one of the things that caught my eye in the research was sort of you and your colleagues
going through this aha moment of shifting from, hey, propeller ads is being abused.
to, wait a minute,
propeller ads might be complicit,
or complicit, rather.
Can you walk us through that process for you all?
Yes, I think this is the process
that we have to go through whenever there's a commercial entity involved,
whether it be a small one or a big one, like Google, right?
Every time that you see a company that's offering a commercial service,
and is being abused,
then you need to understand,
okay, what role specifically are they playing?
It could be that they're just lazy,
that they aren't checking information
from their advertisers.
It could be they're overwhelmed, right?
Some people would argue this about how much Google,
you know, there's a ton of malvertising
that comes through Google search,
and people would argue
whether there's too much or for whatever reasons they struggle to be able to handle that.
It's one of the more popular things that happen.
The other thing that happens is that the advertisers who are, say, doing malware or scams,
those are typically what we call cloaked, meaning they're hiding as well.
And they're doing that, say, independent of propeller in this case.
So propeller could make an argument that we can't even see that it's bad,
because they've cloaked the ad.
That is certainly true in the case of large groups like Facebook and Google.
Those ads are cloaked.
It may be hard for them to tell that.
So there's a lot of complexity that comes down to,
am I actually going to make an accusation of being involved or being complicit,
knowingly catering to cyber criminals?
In our case, we were able to show not once,
but many times we only highlight a few of those within the paper
that we were getting malicious content delivery
and specifically malware directly from the IP addresses
that are known to be owned by propeller ads.
So this wasn't a redirection where they were sending stuff
to an external advertiser,
and that external, quote, advertiser was delivered.
wearing the malware, they were doing it off of their own infrastructure, which makes them
responsible.
Looking at the bigger picture here, when we consider Vane Viper, is this just kind of part of the
digital advertising ecosystem in which we live these days, is it's sort of the, I don't
know, the dark underbelly of that world?
Well, I'm really optimistic.
I think what has happened is that a group, a large number of groups of organized crime,
it predominantly driven out of Russian-speaking areas that's not exclusive,
but it's predominantly that starting in around 2015,
were able to create an entire ecosystem.
And they're successful in staying off the radar,
in part because they weren't trying to be on CBS's front page, right?
They were working in this other world of compromising domains
and doing smaller sites and advertising.
Because of the successful nature of their cloaking or their hiding of domains,
it took a very long time for people to start to realize,
wait a second, this is actually connected to the distribution of all kinds of malicious content,
including ones that lead to, you know, data breaches that people care a lot about
and disinformation like the doppelganger Russian disinformation campaigns.
Once that starts rolling and people start realizing these things go together,
there is a traffic distribution system involved,
Now we're moving along three, four, five more years in understanding things within the security industry.
People are gaining momentum and realizing, oh, wait a second, these are registered companies.
So the scrutiny on these companies is gaining momentum.
It is going to get bigger and bigger and bigger.
And I am optimist.
I think they will be held accountable.
And I think we will find better defenses as we go forward.
I admire your optimism.
So based on the information that you all have gathered here,
what are your recommendations?
I mean, for both business leaders who are looking to protect their organization,
but then also for everyday users, any words of wisdom here?
So for users, really don't accept notification.
that's an important important thing altogether and to be somewhat suspicious if you see something that
suddenly redirects you you know like you hit on something and then it showed you a Google search page
or it showed you a Facebook or an Amazon just out of the blue that is probably part of malicious
advertising and in every country in the world there is a way in which you
you can report that activity to law enforcement.
It is really important for us to report these things to law enforcement,
whether we saw them and weren't victimized or more importantly when we are victimized
because that is what the momentum requires in order to get people taken care of
to be able to understand the victimology of those things.
Certainly putting in security measures, you know, wherever you can find security measures,
that are going to specifically tackle traffic distribution systems,
there's so hard to see and recognize and track
that that kind of thing is going to be really helpful for you.
As a consumer where you don't have money for big devices,
things like an ad blocker will certainly help.
It's not perfect, but it would definitely help.
Our thanks to Dr. Renee Burton from InfoBlocks for joining us.
The research is titled Deniability by Design, DNS-driven insights into a malicious ad network.
We'll have a link in the show notes.
And that's Research Saturday, brought to you by N2K Cyberwire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at n2k.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Ivan.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.
Thank you.
Thank you.
I don't know.
We're going to be.