High Stakes, Hidden Threats: Unmasking the Vault Viper Network with DNS
Southeast Asia’s cyber threat landscape is evolving faster than ever before. This transformation has been marked by the proliferation of industrial scale scam centres and cyber-enabled fraud operations, driven by sophisticated transnational criminal syndicates and interconnected networks of money launderers, human traffickers, data brokers, and other specialist service providers – particularly those involved in casinos and online gambling.
Against this backdrop, in February 2025, Infoblox Threat Intel, in collaboration with the United Nations Office on Drugs and Crime Regional Office for Southeast Asia and Pacific (UNODC ROSEAP), set out to examine a cluster of illegal online gambling platforms. In what followed, Infoblox researchers uncovered one of Asia’s leading iGaming software suppliers or ‘white labels’ distributing a custom browser with significant security implications. Advertised as “privacy-friendly’ and able to bypass censorship where online gambling is strictly prohibited. The browser proceeds to route all connections through servers in China and installs several persistent, involuntary programs that run silently in the background – features consistent with remote access trojans (RATs) and other malware.
Through DNS analysis, reverse engineering and threat hunting, as well as more conventional investigative work, Infoblox Threat Intel has been able to end a decade’s long mystery, ultimately unmasking the broader criminal network behind this operation and its direct link to the infamous Suncity Group and convicted Triad boss, Alvin Chau. This abstract offers a glimpse into the first public release of what has been dubbed Vault Viper, marking the second in a series of previously unreported threat actors and criminal service providers operating at the intersection of illicit online gambling, cyber-enabled fraud, high-tech money laundering and human trafficking. Building on Infoblox’s past Vigorish Viper research, the investigation traces tens of thousands of associated domains – with several still currently in use by documented criminal networks – detailing Vault Viper’s vast DNS footprint, command-and-control (C2) infrastructure, unique tooling, and ownership structure concealed through a tangled web of companies registered in dozens of countries.
The presentation will conclude with a discussion around various challenges in investigating, classifying, and disrupting this unique category of threat actor. Attendees will also gain a new perspective on the implications of growing criminal sophistication and professionalism within the regional cyber threat landscape, as well as the value of a DNS-based approach in identifying and disrupting sprawling criminal networks.
Maël Le Touz – Infoblox
Maël Le Touz is a Staff Threat Researcher at Infoblox where he specializes in the detection of threats as they manifest in the domain name system (DNS).
His background is in financial fraud investigation and he has strong experience in reverse engineering. He reverse engineered critical components of the Decoy Dog malware that confirmed the DNS C2 was distinct from the open source Pupy project.
He recently focused his research on the Chinese speaking landscape, contributing to the discovery of VIgorish VIper and a number of other criminal syndicates dealing in gambling, malware,scams and trafficking. He was a speaker at a number of cyber security conferences including Black Hat, Infosecurity and Les Assises.
John Wojcik – Infoblox
John Wojcik is a Senior Threat Researcher at Infoblox where he specializes in DNS threat intelligence and cyber and cyber-enabled crimes in East and Southeast Asia. As part of Infoblox’s Threat Intel, he works with governments and enterprises in the region to strengthen resilience against evolving and accelerating cyber risks through DNS.
John joins Infoblox as a former Senior Analyst with UNODC’s Regional Office for Southeast Asia and the Pacific in Bangkok, Thailand, where he led the agency’s open-source and criminal intelligence portfolios, specializing in cyber-enabled fraud, high-tech money laundering, and virtual assets.
At Infoblox, he focuses on DNS threat intelligence and supporting Protective DNS adoption, where his research aims to demonstrate how visibility and intelligence at the DNS layer can serve as key line of defense against modern-day threats. He continues to share his expertise to strengthen resilience and support the broader security community.