Inside China's Hosting Ecosystem: 18,000+ Malware C2 Servers Mapped Across Major ISPs
Essential information
- Published
- 15/01/2026 12:03
- Modified
- 19/01/2026 09:29
- Tags
- 2026-01-15 CVE-2025-8110 apt arl asyncrat china cloud providers cobalt strike command and control cybercrime infrastructure isps l3mon malware mgbot mirai mozi nanocore rondodox supershell valley rat vshell xmrig
- Related entities
- 1 vulnerabilities (cve), 12 observables, 5 techniques (mitre), 13 malware, 8 others
Description
An analysis of Chinese hosting environments reveals over 18,000 active command-and-control (C2) servers distributed across 48 infrastructure providers. C2 infrastructure dominates malicious activity at 84%, followed by phishing at 13%. China Unicom hosts nearly half of all observed C2 servers, with Alibaba Cloud and Tencent following. A small set of malware families, including Mozi, ARL, and Cobalt Strike, accounts for most C2 activity. The infrastructure supports both cybercrime and state-linked operations, with RATs, cryptominers, and APT tooling coexisting. High-trust networks like China169 Backbone and CERNET are actively exploited. This host-centric approach exposes long-running abuse patterns and infrastructure reuse across campaigns, enabling more resilient threat detection and mitigation strategies.