![When clicks turn criminal. [Research Saturday] - CyberWire Daily cover](/_next/image?url=https%3A%2F%2Fmegaphone.imgix.net%2Fpodcasts%2Fdb4b097c-c17c-11f0-90a4-d7ae7b6d096a%2Fimage%2F95b72a93c2ffaf8ff900d662a9bd3735.png%3Fixlib%3Drails-4.3.1%26max-w%3D3000%26max-h%3D3000%26fit%3Dcrop%26auto%3Dformat%2Ccompress&w=1200&q=75)
CyberWire Daily – Research Saturday
Episode Title: When clicks turn criminal.
Date: November 15, 2025
Host: Dave Bittner (N2K Networks)
Guest: Dr. Renee Burton, VP of Threat Intelligence at Infoblox
Topic: DNS-Driven Insights into Malicious Ad Networks (focus on VeinViper and Propeller Ads)
Overview
This episode dives into the mechanisms, scale, and business structures behind malicious ad networks, spotlighting research into “VeinViper” and its connection to corporate entities like Propeller Ads and Ad Tech Holdings. Dr. Renee Burton discusses how threat actors exploit online ad technology not only to distribute scams and malware, but also to blur the boundaries between legitimate and criminal enterprise. The discussion unpacks the ways DNS data reveals these large-scale operations, the technical tools behind malicious campaigns, and what individuals and businesses can do to protect themselves.
Key Discussion Points & Insights
1. From Underground Hackers to Registered Businesses
- Dr. Burton highlights a paradigm shift: What were once perceived as underground hacker groups now often operate as registered, open businesses (02:25).
“A lot of threats… we previously believed were associated with those hackers hiding in the dark… are being backed by registered businesses in various parts of the world. They advertise openly on the Internet.”
— Dr. Renee Burton, 02:25 - These groups openly provide "advertising related services," creating a grey area between legality and criminality.
2. Discovery and Scale of “VeinViper”
- Initial Discovery: VeinViper was tracked starting in 2022, first flagged through compromised websites and suspicious DNS activity (03:25).
“I personally had the experience where I was just doing some browsing and suddenly there was this little pop up… who’s Omnitor? I'm definitely not visiting that website.”
— Dr. Renee Burton, 03:40 - DNS Insights: Infoblox observed approximately one trillion DNS queries linked to VeinViper within their customer environments over a year—implying vast global reach (04:36).
“…a trillion was within our customer environments… globally, it’s actually going to be much, much larger.”
— Dr. Renee Burton, 04:57
3. Motives and Methods
- Financially Motivated: These networks profit by blending legitimate ad activities with the distribution of scams and malware. They cater to both “publishers” (those displaying ads) and “advertisers” (who often distribute malicious content) (05:54).
- Malware Distribution: Direct evidence linked malware dropped onto user devices to VeinViper’s IP space (06:16).
4. Legitimate Facade and Economic Drivers
- Plausible Deniability: VeinViper and similar outfits exploit their ad industry status to maintain a degree of deniability (06:38).
“You could… argue, well, this illegal gambling site is legitimate… That’s one of the many ways that would happen.”
— Dr. Renee Burton, 07:25 - Global Economic Factors: Many “publishers” are individuals from economically challenged regions—driven to these systems simply to make money, blurring intent versus impact (07:46).
5. Corporate Structures and “Ad Tech Holdings”
- Complex Shells and Subsidiaries: Ad Tech Holdings umbrellaes various entities (e.g., Propeller Ads, MoneyTag, Zato Zido), structured to appear independent but are interlinked (09:07).
“Propeller Ads is probably their big flagship one. But Propeller Ads itself has other entities like MoneyTag… there’s a lot of ownership aspects...”
— Dr. Renee Burton, 09:17
6. Technical Tactics: Push Notifications & Traffic Distribution Systems
- Push Notifications: Used for “persistence,” enabling continuous delivery of scams or malware with high volume, paid on delivery to devices regardless of engagement (10:33).
“Instead of getting that one opportunity to scam them, you get an infinite number of opportunities.”
— Dr. Renee Burton, 10:52 - Traffic Distribution Systems (TDS): Sophisticated redirection and targeting to maximize victim conversion—tailoring scams/malware based on device, region, and user behavior (12:25).
7. Typical Victim Trajectory
- Entry Vectors: Victims encounter malicious ads just by regular web browsing, especially on less regulated or compromised websites (15:29). Sometimes, what looks like a normal download is actually malware if device parameters match the attacker’s target criteria.
“They can just be regularly browsing the web… It can come through parking systems, we found. It can come through compromised websites, it could come through spam.”
— Dr. Renee Burton, 15:29 - Decoys: If a user is not a suitable target (e.g. security researcher), they’re redirected to benign pages instead (16:25).
8. On the Question of Complicity
- From Abuse to Complicity: The research process evolved from viewing Propeller Ads as a potential victim of abuse to recognizing its infrastructure was directly serving malware (17:15).
“[W]e were getting malicious content delivery and specifically malware directly from the IP addresses… known to be owned by propeller ads… They were doing it off of their own infrastructure, which makes them responsible.”
— Dr. Renee Burton, 18:35
9. The Bigger Ad Tech Ecosystem: Optimism and Momentum
- Organized Crime Integration: Many Russian-speaking organized crime groups have exploited the ad tech ecosystem while staying off mainstream radar (20:02).
- Growing Scrutiny: The security industry is catching up, slowly connecting criminal ad tech to broader cybercrime and disinformation efforts—momentum is building for accountability (20:54).
“The scrutiny on these companies is gaining momentum. It is going to get bigger and bigger and bigger. And I am optimist.”
— Dr. Renee Burton, 21:39
10. Recommendations for Defense
-
For Users:
- Decline push notifications by default (22:14).
- Stay suspicious of unexpected redirects or pop-ups impersonating trusted brands.
- Report incidents to law enforcement—even attempted scams matter for statistics and enforcement (22:43).
- Use security tools and ad blockers to help disrupt malicious ad vectors.
-
For Organizations:
- Implement security technologies that can detect and disrupt traffic distribution systems (23:13).
- Regularly educate staff about malicious ad tactics and encourage reporting.
Notable Quotes & Memorable Moments
-
“A lot of threats… we previously believed were associated with those hackers hiding in the dark… are being backed by registered businesses in various parts of the world.”
— Dr. Renee Burton, 02:25 -
“Instead of getting that one opportunity to scam them, you get an infinite number of opportunities.”
— Dr. Renee Burton, 10:52 -
“We were getting malicious content delivery and specifically malware directly from the IP addresses that are known to be owned by Propeller Ads… which makes them responsible.”
— Dr. Renee Burton, 18:35 -
“The scrutiny on these companies is gaining momentum. It is going to get bigger and bigger and bigger. And I am optimist. I think they will be held accountable and… we will find better defenses as we go forward.”
— Dr. Renee Burton, 21:39 -
“For users, really don’t accept notifications… important altogether.”
— Dr. Renee Burton, 22:14
Timestamps for Key Segments
- 02:25 — Shift from “shadowy hackers” to registered business operations
- 04:36 — The scale of VeinViper’s DNS footprint
- 05:54 — Anatomy of VeinViper’s business model
- 09:07 — Corporate shell structure of Ad Tech Holdings and its subsidiaries
- 10:33 — Detailed tactics: push notifications & traffic distribution
- 15:29 — How victims stumble into ad scam/malware traps
- 17:15–18:35 — The journey from perceived abuse of Propeller Ads to direct complicity
- 20:02 — Organized crime within the digital advertising ecosystem
- 22:14–23:13 — Actionable recommendations for users and organizations
Guest Resource:
- Research Paper: “Deniability by Design: DNS Driven Insights into a Malicious Ad Network” ([Infoblox])
This comprehensive discussion unpacks how the criminal exploitation of modern ad tech blurs the line between legitimate commerce and cybercrime, underlining the urgent need for new detection, reporting, and defense strategies across all levels of internet engagement.