Vault Viper
Vault Viper is a cybercriminal threat actor tied to BBIN / Baoying Group (寶盈集團), a major iGaming provider linked in the reporting to illegal gambling platforms and organized crime in Southeast Asia. The group is described as operating a large-scale criminal ecosystem spanning online gambling, cyber-enabled fraud, money laundering, human trafficking, and scam operations, with activity centered in Southeast Asia and reporting placing it in the Philippines' Clark Freeport and Special Economic Zone. Content also states Vault Viper is linked to the broader Suncity criminal organization and to activity overlaps with Vigorish Viper. A key capability attributed to Vault Viper is distribution of the Universe Browser through gambling and casino websites under its control. The browser is described as exhibiting malware-like behavior, including routing all user traffic through servers in China, covertly installing background components, keylogging, surreptitious connections, code injection, persistence, anti-VM checks, and disabling or weakening browser security features such as sandboxing, settings access, right-click, and developer tools. Reporting also notes screenshot-upload capability via installed extensions, network configuration changes, and attempts to evade antivirus detection. The browser has been distributed on Windows, Android, and iOS, though the suspicious behaviors on mobile versions were noted as not fully verified. The group is described as maintaining extensive infrastructure, including thousands to tens of thousands of domains for resilience, and using DNS manipulation, encrypted communications, rapid domain changes, proxies, and hosting across providers including AWS and Alibaba. Content states its infrastructure has been used to support large-scale cyber-enabled fraud and has ties to illegal gambling, scam compounds, and organized criminal networks across Southeast Asia. Vault Viper is also referred to as Business Group 1 in one source. Known aliases and associated names directly mentioned in the content include BBIN, Baoying Group, and Business Group 1.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Health Care Equipment & Services
- Banks
- Software & Services
- Telecommunication Services
- Utilities
Where they target
Geographies tied to known operations.
- 🇮🇩 Indonesia
- 🇹🇭 Thailand
- 🇪🇸 Spain
- 🇹🇷 Türkiye
- 🇵🇭 Philippines
- 🇿🇦 South Africa
- 🇰🇷 South Korea
- 🇨🇴 Colombia
Tradecraft
2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Observables
4 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Threat cluster linked in the report through infrastructure and behavioral overlaps with a multilingual scam and Android banking trojan MaaS operation targeting victims across multiple continents.
Vault Viper is a cybercrime group operating a global DNS infrastructure supporting illegal gambling, money laundering, fraud, and human trafficking, using the Universe Browser malware to control victim systems and facilitate organized crime.
Cyber-enabled gambling/fraud ecosystem tied to Baoying Group/BBIN distributing a custom 'Universe Browser' that routes traffic via China-based servers and includes RAT-like surveillance capabilities; linked to large-scale scam operations in Southeast Asia.
Vault Viper is a threat group operating in connection with BBIN, a major online gambling company. The group is responsible for distributing the Universe Browser, which covertly installs malware-like components, routes traffic through China, and is linked to Southeast Asia's cybercrime ecosystem, including money laundering, illegal gambling, human trafficking, and scam operations. Vault Viper's infrastructure includes tens of thousands of web domains and command-and-control servers, and the group is associated with sophisticated cyber-enabled fraud and scam operations.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.