Skip to main content
Mallory
Back to threat actors
1 malware family

vacant_viper

Also known asvacant_viper

Vacant Viper is a cybercriminal threat actor associated with the Russian-hosted 404TDS traffic distribution system. Reporting describes it as one of the earliest known actors exploiting the Sitting Ducks domain hijacking technique, with activity ongoing since December 2019 and an estimated 2,500 hijacked domains per year. The actor hijacks registered domains, including high-reputation domains, and uses them to augment 404TDS for malicious spam operations, porn delivery, remote access trojan (RAT) command-and-control, and malware delivery. Malware and payloads directly mentioned in the reporting include AsyncRAT, DarkGate, and, in one report, IcedID and other malware. Vacant Viper is also described as delivering numerous RATs. The content states that Vacant Viper is known to affiliate with TA571. Aliases directly provided in the content are limited to 'vacant_viper' / 'Vacant Viper'.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

2 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

2 of 15 tactics4 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
1 technique
T1587
Develop Capabilities
T1587.003
Digital Certificates
TA0011
Command and Control
1 technique
T1071
Application Layer Protocol
T1071.004
DNS
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
IcedID“Vacant Viper is known to affiliate with TA571, for which the 404TDS delivered IcedID and other malware.”1Mar 18, 2026
IOCS

Observables

3 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

3 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
infoblox blogNews
Apr 23, 2025
Verizon 2025 DBIR findings coincide with dangers of malicious adtech

Vacant Viper hijacks domain names and uses a custom traffic distribution system (404TDS) to deliver various remote access trojans (RATs).

Read more
help net securityNews
Nov 15, 2024
Cybercriminals hijack DNS to build stealth attack networks

Vacant Viper hijacks high-reputation domains using Sitting Ducks attacks to build a malicious traffic distribution system (404TDS) for spam, malware delivery, and C2 infrastructure.

Read more
vulnuNews
Nov 15, 2024
🎓️ Vulnerable U | #090

Vacant Viper is a criminal group involved in DNS hijacking attacks, using compromised domains to distribute malware such as AsyncRAT and DarkGate.

Read more
the hacker newsNews
Nov 14, 2024
Experts Uncover 70,000 Hijacked Domains in Widespread 'Sitting Ducks' Attack Scheme

Vacant Viper leverages Sitting Ducks domain hijacking to operate traffic distribution systems (TDS), run spam campaigns, deliver adult content, establish C2 infrastructure, and distribute malware including DarkGate and AsyncRAT.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping2

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables3

Domains, IPs, and hashes tied to this actor, refreshed continuously.