Summary6 min read

CyberWire Daily – Research Saturday

Episode Title: When clicks turn criminal.
Date: November 15, 2025
Host: Dave Bittner (N2K Networks)
Guest: Dr. Renee Burton, VP of Threat Intelligence at Infoblox
Topic: DNS-Driven Insights into Malicious Ad Networks (focus on VeinViper and Propeller Ads)

Overview

This episode dives into the mechanisms, scale, and business structures behind malicious ad networks, spotlighting research into “VeinViper” and its connection to corporate entities like Propeller Ads and Ad Tech Holdings. Dr. Renee Burton discusses how threat actors exploit online ad technology not only to distribute scams and malware, but also to blur the boundaries between legitimate and criminal enterprise. The discussion unpacks the ways DNS data reveals these large-scale operations, the technical tools behind malicious campaigns, and what individuals and businesses can do to protect themselves.

Key Discussion Points & Insights

1. From Underground Hackers to Registered Businesses

Dr. Burton highlights a paradigm shift: What were once perceived as underground hacker groups now often operate as registered, open businesses (02:25).

“A lot of threats… we previously believed were associated with those hackers hiding in the dark… are being backed by registered businesses in various parts of the world. They advertise openly on the Internet.”
— Dr. Renee Burton, 02:25
These groups openly provide "advertising related services," creating a grey area between legality and criminality.

2. Discovery and Scale of “VeinViper”

Initial Discovery: VeinViper was tracked starting in 2022, first flagged through compromised websites and suspicious DNS activity (03:25).

“I personally had the experience where I was just doing some browsing and suddenly there was this little pop up… who’s Omnitor? I'm definitely not visiting that website.”
— Dr. Renee Burton, 03:40
DNS Insights: Infoblox observed approximately one trillion DNS queries linked to VeinViper within their customer environments over a year—implying vast global reach (04:36).

“…a trillion was within our customer environments… globally, it’s actually going to be much, much larger.”
— Dr. Renee Burton, 04:57

3. Motives and Methods

Financially Motivated: These networks profit by blending legitimate ad activities with the distribution of scams and malware. They cater to both “publishers” (those displaying ads) and “advertisers” (who often distribute malicious content) (05:54).
Malware Distribution: Direct evidence linked malware dropped onto user devices to VeinViper’s IP space (06:16).

4. Legitimate Facade and Economic Drivers

Plausible Deniability: VeinViper and similar outfits exploit their ad industry status to maintain a degree of deniability (06:38).

“You could… argue, well, this illegal gambling site is legitimate… That’s one of the many ways that would happen.”
— Dr. Renee Burton, 07:25
Global Economic Factors: Many “publishers” are individuals from economically challenged regions—driven to these systems simply to make money, blurring intent versus impact (07:46).

5. Corporate Structures and “Ad Tech Holdings”

Complex Shells and Subsidiaries: Ad Tech Holdings umbrellaes various entities (e.g., Propeller Ads, MoneyTag, Zato Zido), structured to appear independent but are interlinked (09:07).

“Propeller Ads is probably their big flagship one. But Propeller Ads itself has other entities like MoneyTag… there’s a lot of ownership aspects...”
— Dr. Renee Burton, 09:17

6. Technical Tactics: Push Notifications & Traffic Distribution Systems

Push Notifications: Used for “persistence,” enabling continuous delivery of scams or malware with high volume, paid on delivery to devices regardless of engagement (10:33).

“Instead of getting that one opportunity to scam them, you get an infinite number of opportunities.”
— Dr. Renee Burton, 10:52
Traffic Distribution Systems (TDS): Sophisticated redirection and targeting to maximize victim conversion—tailoring scams/malware based on device, region, and user behavior (12:25).

7. Typical Victim Trajectory

Entry Vectors: Victims encounter malicious ads just by regular web browsing, especially on less regulated or compromised websites (15:29). Sometimes, what looks like a normal download is actually malware if device parameters match the attacker’s target criteria.

“They can just be regularly browsing the web… It can come through parking systems, we found. It can come through compromised websites, it could come through spam.”
— Dr. Renee Burton, 15:29
Decoys: If a user is not a suitable target (e.g. security researcher), they’re redirected to benign pages instead (16:25).

8. On the Question of Complicity

From Abuse to Complicity: The research process evolved from viewing Propeller Ads as a potential victim of abuse to recognizing its infrastructure was directly serving malware (17:15).

“[W]e were getting malicious content delivery and specifically malware directly from the IP addresses… known to be owned by propeller ads… They were doing it off of their own infrastructure, which makes them responsible.”
— Dr. Renee Burton, 18:35

9. The Bigger Ad Tech Ecosystem: Optimism and Momentum

Organized Crime Integration: Many Russian-speaking organized crime groups have exploited the ad tech ecosystem while staying off mainstream radar (20:02).
Growing Scrutiny: The security industry is catching up, slowly connecting criminal ad tech to broader cybercrime and disinformation efforts—momentum is building for accountability (20:54).

“The scrutiny on these companies is gaining momentum. It is going to get bigger and bigger and bigger. And I am optimist.”
— Dr. Renee Burton, 21:39

10. Recommendations for Defense

For Users:
- Decline push notifications by default (22:14).
- Stay suspicious of unexpected redirects or pop-ups impersonating trusted brands.
- Report incidents to law enforcement—even attempted scams matter for statistics and enforcement (22:43).
- Use security tools and ad blockers to help disrupt malicious ad vectors.
For Organizations:
- Implement security technologies that can detect and disrupt traffic distribution systems (23:13).
- Regularly educate staff about malicious ad tactics and encourage reporting.

Notable Quotes & Memorable Moments

“A lot of threats… we previously believed were associated with those hackers hiding in the dark… are being backed by registered businesses in various parts of the world.”
— Dr. Renee Burton, 02:25
“Instead of getting that one opportunity to scam them, you get an infinite number of opportunities.”
— Dr. Renee Burton, 10:52
“We were getting malicious content delivery and specifically malware directly from the IP addresses that are known to be owned by Propeller Ads… which makes them responsible.”
— Dr. Renee Burton, 18:35
“The scrutiny on these companies is gaining momentum. It is going to get bigger and bigger and bigger. And I am optimist. I think they will be held accountable and… we will find better defenses as we go forward.”
— Dr. Renee Burton, 21:39
“For users, really don’t accept notifications… important altogether.”
— Dr. Renee Burton, 22:14

Timestamps for Key Segments

02:25 — Shift from “shadowy hackers” to registered business operations
04:36 — The scale of VeinViper’s DNS footprint
05:54 — Anatomy of VeinViper’s business model
09:07 — Corporate shell structure of Ad Tech Holdings and its subsidiaries
10:33 — Detailed tactics: push notifications & traffic distribution
15:29 — How victims stumble into ad scam/malware traps
17:15–18:35 — The journey from perceived abuse of Propeller Ads to direct complicity
20:02 — Organized crime within the digital advertising ecosystem
22:14–23:13 — Actionable recommendations for users and organizations

Guest Resource:

Research Paper: “Deniability by Design: DNS Driven Insights into a Malicious Ad Network” ([Infoblox])

This comprehensive discussion unpacks how the criminal exploitation of modern ad tech blurs the line between legitimate commerce and cybercrime, underlining the urgent need for new detection, reporting, and defense strategies across all levels of internet engagement.

Loading summary

Transcript45 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire Network powered by N2K.
[00:10]
Cyberwire Network Announcer
Step into the digital Upside down with Cyber Things Armis new three part podcast series which will dive into the unseen world of cybersecurity. From real life hacks to the digital shadows of the dark web, we connect pop culture and protection, fear and control. Episode one drops soon, so look out for Cyber Things in partnership with Cyberwire.
[00:38]
Podcast Host / Narrator
Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.
[02:25]
Dave Bittner
So what we have found, particularly over the last year, is essentially a lot of threats that we previously believed were associated with those hackers hiding in the dark, working in those dark web forums. Groups of hacker gangs. They in fact are being backed by registered businesses in various parts of the world. They advertise openly on the Internet and they provide a variety of advertising related services.
[02:59]
Podcast Host / Narrator
That's Dr. Renee Burton, Vice President of Threat Intelligence at Infoblox. The research we're discussing today is titled Deniability by Design. DNS Driven Insights into a Malicious Ad Network.
[03:18]
Interviewer / Research Saturday Host
Well, let's dig in and talk about Vainviper itself. How did you first come across this threat actor?
[03:26]
Dave Bittner
We first found VeinViper back in 2022. We found it similarly, both through accidental things, but also through DNS. At the time they were heavily seen in compromised websites. I personally had the experience where I was just doing some browsing and suddenly there was this little pop up that said all Omnitor wants to show you notifications who's Omnitor. I'm definitely not visiting that website.
[03:59]
Sponsor Voice
Right.
[04:00]
Dave Bittner
So I said no, which was good because that turned out to be a lead into us discovering again through DNS. By putting together DNS here being the domain names, IP addresses, we put those together and realized this is actually an entire actor, meaning a person or a group that we would be able to track and that they were heavily involved in both scams and in malware. And then it took us years, it took us about two years to realize that in fact they were registered companies.
[04:35]
Podcast Host / Narrator
Wow.
[04:36]
Interviewer / Research Saturday Host
Well, before we dig into some more of the details, you mentioned DNS and your research points out that you and your team saw about a trillion with A T DNS queries linked to VeinViper in just about a year. Can you put that in perspective for us what this means in terms of scale?
[04:58]
Dave Bittner
Yeah, that trillion was within our customer environments as well. So if you think about it globally, it's actually going to be much, much larger. These are extraordinarily popular domains, meaning that there's a lot of traffic associated with them. They're. They're going to be not as popular as Google, right. Not as popular as Facebook, but they're still going to be up there, more popular than very common VPN security services sharing systems, things like that. So tons and tons and tons of domain name traffic. And what that says to us is there is a lot of ways in which that actor is approaching both consumers and enterprises.
[05:49]
Podcast Host / Narrator
And what exactly are they up to here?
[05:51]
Interviewer / Research Saturday Host
What's the approach and what are they hoping to get out of this?
[05:55]
Dave Bittner
They're certainly financially motivated as a company. They're making money off of the people who sign up with them as quote, publishers, meaning that they put the links on things and advertisers, which are the ones that show things, they are distributing both scams and malware. So they're affiliating or having advertisers who are the ones actually giving these scams and malware. However, we also had very specific instances, again one coming from my own phone where malware was dropped directly onto my device from an IP address that is. That is theirs, that is in their network.
[06:39]
Interviewer / Research Saturday Host
Is there a legitimate side to their business or you all talk about plausible deniability in the report here. Is it all malware and scams?
[06:53]
Dave Bittner
It's mostly, I think that that's just a side effect too of when you're in the. This type of the. The advertising business. You're right, you don't have the cachet of being Google or being Taboola Any, any one of these really big well known advertising networks and you out of Cyprus, but they're Russian oriented so they get a different kind of traffic. They're going to be seen on variety of like gambling sites or on cracking sites or on free video download sites. You'll see that their ads would be there. That's one of the many ways that would happen. And so you could, you know, you might argue, well, this illegal gambling site is legitimate in some, you know, in some fashion and they're using them as a customer. I think also that we find with these ad tech businesses that they are trying to get people who want to make money. If you think about the world and the economy all over the world, it's quite varied and there's a lot of hope around the world. So there's a lot of people in Indonesia, India, variety of other countries that face a lot of economic challenges. And what they see is basically marketing, that affiliate marketing is a way that they can make money and a lot of them will join in to do that kind of thing. So they might end up being led down a path where they're delivering scams, but in fact themselves are really just trying to find a way to make bread, you know, put food on the table type of thing.
[08:46]
Interviewer / Research Saturday Host
Yeah. The research describes Vain Viper as being tied to Ad Tech holding and its subsidiaries, companies like Propeller Ads. Can you unpack that corporate structure for us? There's shell companies, there's offshore registrations, there's a lot to unwind here.
[09:07]
Dave Bittner
AdTech holdings is one of many different actors that we're looking at. More recently we also released on an actor known Vextrio, whose structures are even more convoluted. In the case of Ad Tech holdings, everything that we're looking at really is in that advertising and marketing technology space. But there are a bunch of companies that they essentially advertise to be independent of each other but are still under that holding. So Propeller Ads is probably their big flagship one. But Propeller Ads itself has other entities like MoneyTag. Below that there's a group called Zato Zido which is independent in some ways, but it's still part of AdTech Holding. So there's a lot of ownership aspects over the last more than a decade that really tie this different companies together, including their hosting providers, lots of personnel who are involved in the particularly the Cypress regional tech market.
[10:21]
Interviewer / Research Saturday Host
Well, can we dig into some of the tools that they're actually using here? There's a lot of things going on for them to be able to do it with what they do. Can you walk us through some of that?
[10:33]
Dave Bittner
So when we look at what sort of tools or tactics devices that they are using, they heavily use push notifications. This is widely used across malicious ad tech and it's actually quite brilliant. It provides a mechanism for persistence on a device in that somehow or another you convince someone to allow notifications. Now instead of getting that one opportunity to scam them, you get an infinite number of opportunities. And even more than that, I recently had one where we were recording. We found it's a different company, but it's similar. The information that they provide allows me to see what they're tracking about me. And I could see that they're charging the advertiser about 5 cents to get a push notification onto my phone. And then I can also see that they've already computed my conversion rate or the likelihood of me to actually look at that ad to be almost zero. It's just slightly above zero. And yet they're pushing 100 notifications a day. So if you think about that from the ad tech holdings or propeller side, they're being able to push 100 notices a day onto a single device charging $0.05 or $0.01, whatever it is for that device. They're getting that money no matter what, even if the user doesn't kind of click on it. So they can just roll in cash through these notifications because they're charging the advertisers to be able to show the notification, which is quite brilliant. That's one of the ways in which they're. One of the ways in which they're handling victims. And they get it on both sides, right? They get the victim, but they also get the advertiser who is paying them in order to show these advertisements. Really interesting. The other thing that they do is they're providing a traffic distribution system or TDS is the term we would use. The concept there is that I'm giving you the offer or the ad that you're most likely to buy, which here is going to be the scam or the malware. So depending on your device type, where you are in the region, what kind of notification you already clicked, this would happen even if it was just a pop up ad. So say for instance, maybe you're on a gaming site or a movie streaming site, sort of. I know that. So I can make tailored things to you as well as your IP address or your device type and then I will funnel you through this TDS in order to deliver the offer that one, you're more likely to buy, but two, I'M going to make money off of it as the advertising network.
[13:43]
Podcast Host / Narrator
We'll be right back. At Thales, they know cybersecurity can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and.
[14:09]
Interviewer / Research Saturday Host
Largest banks, retailers and healthcare companies in.
[14:12]
Podcast Host / Narrator
The world rely on Thales to protect what matters most. Applications, data and identity. That's Talas. T H A L E S learn more@thalesgroup.com cyber and now a word from our sponsor, ThreatLocker. The powerful Zero Trust Enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application computer control simple and fast. Ring fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker.
[15:14]
Interviewer / Research Saturday Host
Now, you all found some of these campaigns that look to the user like.
[15:19]
Podcast Host / Narrator
Normal software downloads or even search pages.
[15:23]
Interviewer / Research Saturday Host
How would a victim typically stumble into one of these traps?
[15:29]
Dave Bittner
So they can just be regularly browsing the web? That is absolutely one way that can happen, especially with pages that are smaller or less common and they've taken on advertising as a way to make some money off of that page. It can come through parking systems, we found. It can come through compromised websites, it could come through spam. So a variety of ways will take the victim into that, you know, into that funnel essentially. And then in those two cases that you were mentioning from the paper, in one case we had a phone and that phone met the criteria for the malware download. And it essentially said, you need to download this file. And when we did clicked it and downloaded it, that turned out to be an information stealer, as I recall. But if you weren't the right person, your device was too old or too new or whichever way in which you didn't match, or they thought you were say a security company, then instead you got a Google search page. So you had just suddenly clicked up and showed a Google search page. And that's the decoy part of it.
[16:51]
Podcast Host / Narrator
Right? Interesting.
[16:53]
Interviewer / Research Saturday Host
Now, one of the things that caught my eye in the research was sort of you and your colleagues going through this aha, moment of shifting from hey, Propeller ads is being abused to wait a minute, Propeller ads might be complicit or complicit rather. Can you walk us through that process.
[17:15]
Dave Bittner
For you all Yes. I think this is the process that we have to go through whenever there's a commercial entity involved, whether it be a small one or a big one like Google. Right. Every time that you see a company that's offering a commercial service and is being abused, then you need to understand, okay, what role specifically are they playing? It could be that they're just lazy, that they aren't checking information from their advertisers. It could be that they're overwhelmed. Right. Some people would argue this about how much Google, you know, there's, there's a ton of malvertizing that comes through Google search and people would argue whether there's too much or for whatever reasons they're, they struggle to be able to handle that. Right. It's one of the more popular things that happen. The other thing that happens is that the advertisers who are say doing malware scams, those are typically what we call cloaked, meaning they're hiding as well. And they're doing that say independent of propeller in this case. So propeller could make an argument that we can't even see that it's bad because they've cloaked the ad. That is certainly true in the case of large groups like Facebook and Google, those ads are cloaked. It may be hard for them to tell that. So there's a lot of complexity that comes down to am I actually going to make an accusation of being involved or being complicit, knowingly catering to cybercriminals? In our case, we were able to show not once but many times, we only highlight a few of those within the paper that we were getting malicious content delivery and specifically malware directly from the IP addresses that are known to be owned by propeller ads. So this wasn't a redirection where they were sending stuff to an external advertiser and that external quote advertiser was delivering the malware. They were doing it off of their own infrastructure, which makes them responsible.
[19:41]
Interviewer / Research Saturday Host
Looking at the bigger picture here, when we consider Vain Viper, is this just kind of part of the digital advertising ecosystem in which we live these days? It's sort of the, I don't know, the dark underbelly of that world.
[20:03]
Dave Bittner
Well, I'm really optimistic. I think what has happened is that a group, a large number of groups of organized crime, it predominantly driven out of Russian speaking areas. That's not exclusive, but it's predominantly that starting in around 2015 were able to create an entire ecosystem. They're successful in staying off the radar in part because they weren't Trying to be on CBS front page. Right. They were working in this other world of compromising domains and doing smaller sites and advertising. Because of the successful nature of their cloaking or their hiding of domains, it took a very long time for people to start to realize, wait a second, this is actually connected to the distribution of all kinds of malicious content, including ones that lead to data breaches that people care a lot about and disinformation like the doppelganger Russian disinformation campaigns. Once that starts rolling and people start realizing these things go together, there is a traffic distribution system involved. Now we're moving along three, four, five more years in understanding things within the security industry. People are gaining momentum and realizing, oh, wait a second, these are registered companies. So the scrutiny on these companies is gaining momentum. It is going to get bigger and bigger and bigger. And I am optimist. I think they will be held accountable and I think we will find better defenses as we go forward.
[21:53]
Interviewer / Research Saturday Host
I admire your optimism. So, based on the information that you all have gathered here, what are your recommendations? I mean, for both business leaders who are looking to protect their organization, but then also for everyday users. Any words of wisdom here?
[22:15]
Dave Bittner
So for users really don't accept notifications, that's an important thing altogether. And to be somewhat suspicious, if you see something that suddenly redirects you, you hit on something and then it showed you a Google search page or it showed you a Facebook or an Amazon just out of the blue, that is probably part of malicious advertising. And in every country in the world, there is a way in which you can report that activity to law enforcement. It is really important for us to report these things to law enforcement, whether we saw them and weren't victimized or more importantly, when we are victimized, because that is what the momentum requires in order to get people taken care of, to be able to understand the victimology of those things. Certainly putting in security measures wherever you can find, security measures that are going to specifically tackle traffic distribution systems. Those are so hard to see and recognize and track and that that kind of thing is going to be really helpful for you as a consumer where you don't have money for big devices. Things like Ad Blocker will certainly help. It's not perfect, but it would definitely.
[23:52]
Podcast Host / Narrator
Our thanks to Dr. Renee Burton from Infoblox for joining us. The research is titled Deniability by Design, DNS Driven Insights into a Malicious Ad Network. We'll have a link in the show.
[24:04]
Interviewer / Research Saturday Host
Notes and that's Research Saturday brought to.
[24:07]
Podcast Host / Narrator
You by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
[24:17]
Interviewer / Research Saturday Host
If you like our show, please share.
[24:19]
Podcast Host / Narrator
A rating and review in your favorite podcast app.
[24:22]
Interviewer / Research Saturday Host
Please also fill out the survey in.
[24:23]
Podcast Host / Narrator
The show notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. We're mixed by Elliott Peltzman and Trey Hester. Our executive producer is Jennifer Ibin, Peter Kilpe is our publisher and I'm Dave Bittner.
[24:38]
Interviewer / Research Saturday Host
Thanks for listening.
[24:39]
Podcast Host / Narrator
We'll see you back here. Next.
[25:00]
Sponsor Voice
Every minute your finance team spends wrestling with data is a minute lost. Insight Software's AI powered insights instantly move you from complexity to clarity. Automated analysis, real time reporting, strategic recommendations all at your fingertips. Transform how your finance team works and watch your business grow. Stop wasting time, start making smarter decisions. Learn more@insightsoftware.com AI.