Groundbreaking research reveals how PropellerAds and its parent AdTech Holding are enabling large-scale scams, malware distribution, and ad fraud.
Infoblox Threat Intel has unveiled explosive new findings about “Vane Viper,” a sophisticated threat actor operating under the guise of a legitimate advertising technology company. The investigation reveals that Vane Viper, also known as AdTech Holding—the parent company of PropellerAds—is not simply being abused by criminals but is actively enabling large-scale malware distribution, phishing, and fraudulent advertising campaigns.
Tracked by Infoblox for more than three years, Vane Viper has proven to be one of the most pervasive threats in the digital ecosystem. Malvertising domains tied to the group have been detected in approximately 50% of Infoblox customer networks. Their reach is staggering, with some tracking domains ranking among the top 1,000 websites globally.
“Cybercriminals aren’t just exploiting adtech platforms, sometimes, they are the adtech platforms.”
– Dr. Renée Burton, VP of Threat Intel, Infoblox
Unlike previous assumptions that ad networks may unknowingly facilitate malicious activity, Infoblox’s research shows that PropellerAds and its affiliates directly delivered malware to researchers on multiple occasions. The group operates more than 60,000 domains, using deceptive ads, cloaking techniques, and traffic distribution systems (TDSs) to evade detection and maximize profits.
The investigation also uncovered links between Vane Viper’s infrastructure and Webzilla/XBT Holdings, which has been previously associated with ad fraud, Russian disinformation, and piracy platforms. With connections to Russian oligarchs, convicted fraudsters, and adult content platforms, Vane Viper exemplifies how criminal enterprises exploit the digital advertising industry’s opaque structures for plausible deniability.
Dr. Renée Burton, VP of Threat Intel at Infoblox, emphasized the scale of the threat: “In the past, we thought of the digital underworld as operating in the shadowy corners of the internet. But many bad actors now hide in plain sight, creating commercial operations that mask malicious intent. Vane Viper is one of several large-scale operators we are tracking that emerged around 2015, primarily controlled by Russian diaspora groups in Europe and Cyprus.”
By exposing the direct role of adtech firms in cybercrime, Infoblox underscores the urgent need for greater accountability within the digital advertising ecosystem.
