Threat Research

Traffic signals: The VASTFLUX Takedown

Securonix

HUMAN’s Satori Threat Intelligence and Research Team dismantled a sophisticated malvertising operation named VASTFLUX that injected JavaScript into ad creatives to stack multiple video players behind a single banner and fraudulently register views. The operation spoofed thousands of apps and publishers at scale, evading ad verification and ultimately being taken down through private collaboration with customers and the Human Collective. #VASTFLUX #Satori

Keypoints

  • VASTFLUX was a malvertising operation that injected JavaScript into ad creatives to stack numerous invisible video ad players behind one another and register ad views.
  • At its peak, the scheme handled about 12 billion bid requests per day, spoofed over 1,700 apps and 120 publishers, and affected nearly 11 million devices.
  • The actors evaded ad verification tags, complicating detection and defense.
  • The attack targeted in-app iOS advertising environments, exploiting restricted app ecosystems and privacy policies.
  • Defense involved three mitigation waves by late June–July, reducing traffic from 12B to under 1B per day and ultimately shutting down the C2 servers.
  • IOCs include a list of domain names used as C2 endpoints; the takedown was complemented by collaboration with abused organizations and law enforcement.

MITRE Techniques

  • [T1059.007] JavaScript – The injected scripts decrypt the ad configurations and orchestrate stacked video players behind a static banner. Quote: “…The injected scripts decrypt the ad configurations (the above screenshot). These configurations include a static banner image to put in the ad slot, a single video ad player hidden behind the banner image, and a series of additional parameters for more stacked video players. The script then calls home to a command-and-control (C2) server…”
  • [T1071.001] Web Protocols – The scripts call home to a command-and-control (C2) server for further information on what to place behind that static banner image. Quote: “…The script then calls home to a command-and-control (C2) server for further information on what to place behind that static banner image.”
  • [T1027] Obfuscated/Decoded Files or Information – VASTFLUX used obfuscated JavaScript and configuration data, including decryption steps. Quote: “The decrypted configuration object served with the bad ad code”
  • [T1036] Masquerading – The actors spoofed publisher IDs and app IDs to misrepresent targets within the ad ecosystem. Quote: “publisher ID that the VASTFLUX apps spoof, and the app ID that the VASTFLUX apps spoof.”
  • [T1132] Data Encoding – Base64 encoding used to conceal VAST player URLs; decoding reveals the actual instructions. Quote: “decode it using base64, it turns into this:”

Indicators of Compromise

  • [Domain] C2 domains – analytichd.com, bidderev.com, and 20 more domains

Read more: https://www.humansecurity.com/learn/blog/traffic-signals-the-vastflux-takedown