Inside China's Hosting Ecosystem: 18,000+ Malware C2 Servers Mapped Across Major ISPs
Jan. 19, 2026, 9:29 a.m.
Description
An analysis of Chinese hosting environments reveals over 18,000 active command-and-control (C2) servers distributed across 48 infrastructure providers. C2 infrastructure dominates malicious activity at 84%, followed by phishing at 13%. China Unicom hosts nearly half of all observed C2 servers, with Alibaba Cloud and Tencent following. A small set of malware families, including Mozi, ARL, and Cobalt Strike, accounts for most C2 activity. The infrastructure supports both cybercrime and state-linked operations, with RATs, cryptominers, and APT tooling coexisting. High-trust networks like China169 Backbone and CERNET are actively exploited. This host-centric approach exposes long-running abuse patterns and infrastructure reuse across campaigns, enabling more resilient threat detection and mitigation strategies.
Tags
Date
- Created: Jan. 15, 2026, 12:03 p.m.
- Published: Jan. 15, 2026, 12:03 p.m.
- Modified: Jan. 19, 2026, 9:29 a.m.
Indicators
- 185.245.35.68
- 58.144.143.27
- 115.190.200.230
- 106.126.3.78
- 45.155.220.44
- 160.202.245.232
- 23.177.185.39
- 117.72.242.9
- 202.120.234.124
- 43.247.134.215
- 202.120.234.163
- 106.126.3.56
Additional Informations
- Finance
- Education
- Telecommunications
- Government and administrations
- Technologies
- India
- British Indian Ocean Territory
- China