The threat analysis focuses on a large-scale malware command-and-control (C2) infrastructure embedded within China's hosting ecosystem, comprising over 18,000 active C2 servers distributed among 48 major ISPs and cloud providers. China Unicom is the dominant host, accounting for nearly 50% of these servers, followed by Alibaba Cloud and Tencent. The C2 infrastructure supports a variety of malware families, including Mozi, ARL, and Cobalt Strike, which are known for their use in both cybercriminal activities and state-sponsored advanced persistent threat (APT) campaigns. The infrastructure facilitates multiple malicious operations such as remote access trojans (RATs), cryptomining, and sophisticated APT tooling. Notably, high-trust networks like China169 Backbone and CERNET are exploited, indicating that attackers leverage trusted network segments to enhance resilience and evade detection. The analysis highlights a host-centric approach that reveals long-running abuse patterns and infrastructure reuse, which complicates mitigation efforts but also offers opportunities for improved detection through pattern recognition. Although the CVE-2025-8110 vulnerability is referenced, no known exploits are currently active in the wild. The threat landscape is characterized by a high volume of C2 activity (84%) and significant phishing operations (13%), underscoring the multifaceted nature of the threat. Indicators of compromise include multiple IP addresses linked to these C2 servers. The infrastructure's scale and diversity enable attackers to maintain persistent and resilient control over compromised systems, posing a substantial risk to global networks that interact with or are reachable from these Chinese-hosted servers.

European organizations face considerable risk from this extensive C2 infrastructure due to potential malware infections that can lead to data breaches, espionage, ransomware deployment, and resource hijacking (e.g., cryptomining). The presence of state-linked APT tooling increases the likelihood of targeted attacks against critical infrastructure, government agencies, and key industries such as finance, telecommunications, and manufacturing. The exploitation of trusted networks in China to host these servers complicates attribution and response, potentially allowing attackers to maintain long-term persistence. Phishing campaigns supported by this infrastructure can facilitate initial access or credential theft, further amplifying risk. The broad distribution of C2 servers and malware families means that European networks with business or data exchange links to China or Chinese cloud providers may be exposed to indirect attacks or supply chain compromises. Additionally, the reuse of infrastructure across campaigns suggests that once an organization is compromised, it may be targeted repeatedly or used as a pivot point for further attacks. The lack of known active exploits for CVE-2025-8110 reduces immediate risk but does not eliminate the threat posed by the underlying infrastructure supporting these operations.

European organizations should implement advanced network monitoring to detect and block traffic to the identified malicious IP addresses associated with the Chinese-hosted C2 servers. Deploying threat intelligence feeds that include these indicators will enhance detection capabilities. Network segmentation and strict egress filtering can limit outbound connections to suspicious destinations. Endpoint detection and response (EDR) solutions should be tuned to identify behaviors associated with malware families like Mozi, ARL, and Cobalt Strike, including lateral movement and command execution patterns. Organizations should conduct regular phishing awareness training and simulate phishing attacks to reduce the risk of credential compromise. Collaboration with national cybersecurity centers and information sharing platforms can provide timely updates on emerging threats linked to this infrastructure. Given the exploitation of high-trust networks, organizations should scrutinize inbound traffic from Chinese networks and consider geo-fencing or enhanced inspection for traffic originating from or destined to these regions. Incident response plans must include procedures for handling infections involving these malware families and C2 infrastructures. Finally, organizations should review and harden their supply chain security, especially when engaging with Chinese cloud providers or ISPs, to mitigate indirect exposure.