A sprawling network of over 18,000 active command-and-control (C2) servers, operated by threat actors linked to Chinese hosting infrastructure, has been identified across 48 different providers. This significant discovery, revealed by cybersecurity researchers, underscores the complex and often hidden nature of malicious cyber operations. Traditional threat detection methods, which tend to focus on individual indicators of compromise like IP addresses, are often outmaneuvered by attackers who rapidly rotate these identifiers.
The research indicates that these C2 servers constitute a substantial majority, approximately 84 percent, of all malicious activity observed within Chinese hosting environments during a recent three-month analysis period. Phishing infrastructure accounted for about 13 percent, while malicious open directories and other public indicators of compromise made up less than 4 percent. This dominance of C2 servers highlights a strategic preference among attackers for stable infrastructure capable of orchestrating sustained campaigns across multiple targets.
Hunt.io analysts utilized their Host Radar platform, a comprehensive intelligence system that integrates C2 detection, phishing identification, and indicator extraction, to uncover this extensive network. Unlike approaches that treat individual malicious artifacts in isolation, Host Radar maps these threats back to the hosting providers and network operators, revealing long-term abuse patterns even amidst frequent changes to specific IP addresses.
Infrastructure Concentration and Malware Distribution Strategies
The findings point to a significant concentration of malicious infrastructure within China, with China Unicom emerging as the largest host. The provider accounted for nearly half of all observed C2 servers, with approximately 9,000 detections. Major cloud platforms, Alibaba Cloud and Tencent, also played a substantial role, each hosting around 3,300 C2 servers. These three providers alone represent the majority of detected malicious command-and-control infrastructure within China, indicating a heavy reliance by threat actors on their rapid provisioning and high availability.
The malware families utilizing this infrastructure exhibit clear patterns of repeated framework abuse. The Mozi botnet was the most prevalent, accounting for 9,427 unique C2 IP addresses, which is more than half of all observed command-and-control activity. The ARL framework followed closely, with 2,878 C2 endpoints, suggesting extensive misuse of post-exploitation and red-team tooling for malicious purposes. Cobalt Strike was detected on 1,204 servers, while Vshell and Mirai completed the top five, with 830 and 703 C2 servers respectively.
This concentration of malware families and infrastructure suggests a degree of efficiency and shared tooling among threat actors operating from these environments. For defenders, this means that monitoring efforts can be more effectively focused on shared infrastructure patterns rather than solely on chasing individual, constantly evolving malware variants. The data reflects a complex threat ecosystem where cybercrime operations, botnet infrastructure, and state-linked espionage tools coexist, often leveraging the same hosting providers.
The pervasive use of these hosting environments by a wide range of malicious actors, from those deploying commodity remote access trojans to sophisticated advanced persistent threat (APT) operations, poses a significant challenge to traditional indicator-based defenses. The ability of attackers to operate at scale from within these consolidated infrastructures necessitates a shift towards more holistic threat intelligence and network visibility.
The continued abuse of cloud services and large-scale hosting providers by threat actors highlights an ongoing need for collaboration between cybersecurity researchers, hosting providers, and law enforcement agencies. Understanding the methods Chinese threat actors employ to maintain their C2 infrastructure is crucial for developing more resilient defense strategies against evolving cyber threats. Future research will likely focus on deeper analysis of the specific techniques used to evade detection within these hosted environments and the potential for attribution and disruption of these networks.