1 malware family

Vane Viper

Also known asVane Viper

Vane Viper, also known as Omnatuor, is a cybercrime threat actor associated with malicious adtech, malvertising, ad fraud, and traffic distribution infrastructure. Infoblox reported that the actor has operated in this role for at least a decade and previously documented it in August 2022 as a malvertising network similar to VexTrio Viper. The actor is described as using shell companies and opaque ownership structures to evade accountability. According to the provided reporting, Vane Viper exploits vulnerable WordPress sites and leverages hundreds of thousands of compromised websites and malicious ads to redirect users to scams, exploit kits, malware, and other fraudulent destinations. Reported payloads and outcomes include riskware, spyware, adware, LummaStealer delivered behind fake CAPTCHA pages, and at least one instance involving Android malware Triada. Guardio Labs linked its DeceptionAds campaign to Vane Viper infrastructure; that campaign distributed Lumma Stealer via fake CAPTCHA verification pages and facilitated ClickFix-style social engineering. A notable technique attributed to Vane Viper is systematic abuse of browser push-notification permissions using service workers, allowing persistent ads and deceptive notifications after a user leaves the originating page. Infoblox also reported this push-notification abuse was used to serve ads and facilitate ClickFix-style social engineering campaigns. Infoblox assessed Vane Viper infrastructure at roughly 60,000 domains with rapid churn, with most domains active for less than a month, alongside some long-lived domains such as omnatuor[.]com and propeller-tracking[.]com. The actor was reported to account for about 1 trillion DNS queries over the past year across about half of Infoblox customer networks, and to have registered large numbers of new domains monthly, peaking at about 3,500 in October 2024. The reporting also states that Vane Viper appears to share infrastructure and personnel ties with URL Solutions (Pananames), Webzilla, and XBT Holdings. Infoblox further reported that URL Solutions is linked to disinformation sites associated with the Russian influence operation Doppelgänger. One cited roundup additionally described Vane Viper as linked to the Russian diaspora in Europe and Cyprus. The content does not establish Vane Viper as a nation-state actor.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

5 of 15 tactics7 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

1 technique

T1566

Phishing

TA0002

Execution

1 technique

T1204

User Execution

TA0003

Persistence

1 technique

T1205

Traffic Signaling

TA0005

Stealth

1 technique

T1205

Traffic Signaling

TA0011

Command and Control

2 techniques

T1071

Application Layer Protocol

T1071.004

DNS

T1205

Traffic Signaling

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

Triada"...redirect unsuspecting site users to ... malware, including an Android malware called Triada in one case."1Mar 18, 2026

IOCS

Observables

1 indicator attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

1 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

the hacker newsNews

Apr 14, 2026

AI-Driven Pushpaganda Scam Exploits Google Discover to Spread Scareware and Ad Fraud

Systematic push notification abuse to serve ads and facilitate ClickFix-style social engineering campaigns.

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

Provides malicious adtech infrastructure supporting malvertising, ad fraud, and broader threat proliferation at scale (DNS-heavy infrastructure).

the hacker newsNews

Sep 29, 2025

⚡ Weekly Recap: Cisco 0-Day, Record DDoS, LockBit 5.0, BMC Bugs, ShadowV2 Botnet & More

Vane Viper is a long-running cybercrime operation leveraging compromised websites and malvertising to distribute malware and exploit kits, with infrastructure linked to Russian diaspora in Europe and Cyprus.

the hacker newsNews

Sep 25, 2025

Vane Viper Generates 1 Trillion DNS Queries to Power Global Malware and Ad Fraud Network

Operates as (and behind) a malicious adtech/traffic distribution system enabling large-scale malvertising and ad fraud, brokering traffic for malware droppers and phishing, and sometimes running its own campaigns. Uses compromised WordPress sites and large volumes of short-lived domains to redirect victims to scams, malicious extensions, and malware.

+2 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping4

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables1

Domains, IPs, and hashes tied to this actor, refreshed continuously.