×
Uncategorized

Adtech Abused by Threat Actors to Spread Malicious Advertisements

Malicious advertising campaigns have surged in sophistication, with cybercriminals exploiting and even operating adtech firms to deliver malware, credential stealers and phishing schemes directly through mainstream ad networks.

A cluster of interconnected companies—run through shell corporations, hosted on compromised infrastructure, and registered en masse via a notorious registrar—has enabled a prolific threat actor, dubbed “Vane Viper,” to funnel malicious ads at global scale.

With plausible deniability built into every layer, these operations have become a persistent danger for enterprises and consumers alike.

A diagram of key company relationships.
A diagram of key company relationships.

Vane Viper’s campaign begins at the corporate top: AdTech Holding, a Cyprus-based firm, controls subsidiaries including PropellerAds, ProPushMe, Zeydoo, Notix and Adex.

These platforms present themselves as legitimate supply- and demand-side ad networks, but in practice aggregate traffic from compromised sites and route clicks through a traffic distribution system (TDS) to malicious landing pages.

Corporate filings trace PropellerAds to shell entities in Cyprus, the Isle of Man and London, while their registrar, URL Solutions (also known as Pananames), ranks among the riskiest registrars for bulk domain registrations.

Behind the sheen of glossy banners and pop-ups lies a tangled web of shell companies. PropellerAds subsidiaries conceal ownership through nested holding firms, and their infrastructure overlaps with Webzilla’s hosting networks—infamous for hosting piracy sites and click-fraud farms.

Executives tied to Russian oligarchs and convicted fraudsters further blur legal accountability, allowing malvertising campaigns to flourish under the guise of a mainstream advertising model.

Dynamic Cloaking Tactics

Rather than rely solely on banner ads, Vane Viper addressed browser push notifications and service-worker scripts to achieve persistence and evade takedowns.

Igor Limbakh appears as a company director for both PropellerAds and AdTech Holding, and holds directorships at Samoukale Enterprises (Adex), Itpub, Finplat Technologies, Fourup, and others.

An overview of the timeline and evolution of Embria/PropellerAds/AdTech Holding.
An overview of the timeline and evolution of Embria/PropellerAds/AdTech Holding.

When users visit compromised or lookalike domains, they are prompted to accept notifications.

Once granted, these in-browser alerts deliver an uninterrupted stream of malicious ads, malware droplets and phishing lures.

Vane Viper accounts for nearly half of all bulk registration events made through URL Solutions since January 2023.

Monthly proportion of Vane Viper in URL Solutions bulk registration events.
Monthly proportion of Vane Viper in URL Solutions bulk registration events.

Observed push-notification domains include in-page-push.com and pushimg.com—some active for years, while thousands of fresh domains are registered monthly to replace those shut down.

Dynamic cloaking techniques ensure that security researchers see benign content, while real victims are routed through multiple redirection layers, history poisoning scripts and geofencing filters.

Traffic flows originating from a bit.ly link can chain through TDS commands, partner proxies, and finally drop a banking trojan APK on Android devices. By tailoring payloads based on the user’s region, device type and time zone, these campaigns maximize infection rates and monetize at every click.

Implications for Users

The Vane Viper operation underscores fundamental flaws in the digital advertising ecosystem, which prioritizes scale and profitability over accountability.

Increasing monthly registration count of domains since January 2023, up to the maximum monthly count of 3,500 domains in October of 2024.

The number of Vane Viper domains registered per month since January 2023.
The number of Vane Viper domains registered per month since January 2023.

Enterprises face risk when legitimate ad networks unwittingly deliver malware or credential-harvesting pages to employees, while consumers encounter trap-laden websites masquerading as video players, shopping portals or software downloads.

Traditional security tools struggle against cloaked TDS infrastructure and push-notification persistence, making detection and remediation difficult.

To mitigate these threats, organizations must adopt a multi-layered defense strategy:

  • Enforce content-security policies to restrict service-worker execution.
  • Monitor DNS telemetry for anomalous query volumes indicative of malicious TDS activity.
  • Implement stricter browser controls around push notifications and third-party scripts.
  • Vet adtech partners for transparent ownership, abuse-reporting processes and rapid takedown procedures.

Ultimately, the rise of Vane Viper illustrates how cybercriminals have repurposed the adtech supply chain into a weapon. Without systemic reforms—such as standardized transparency requirements, stronger registrar accountability and industry-wide abuse-handling protocols—the cycle of malvertising will persist.

For defenders and internet users, the challenge is clear: to reclaim trust in digital advertising, the adtech ecosystem must be reengineered to favor responsibility over reach.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

Related Posts

Post Comment

You May Have Missed

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by