Inside China's Hosting Ecosystem: 18,000+ Malware C2 Servers Mapped Across Major ISPs
An extensive analysis reveals over 18,000 active malware command-and-control (C2) servers hosted across 48 Chinese infrastructure providers, with China Unicom alone hosting nearly half. These C2 servers predominantly support malware families such as Mozi, ARL, and Cobalt Strike, facilitating both cybercrime and state-linked operations including RATs, cryptominers, and APT tools. High-trust Chinese networks like China169 Backbone and CERNET are exploited, indicating sophisticated infrastructure abuse. Although no known exploits are currently in the wild for CVE-2025-8110, the widespread presence of this infrastructure poses significant risks globally. European organizations could be targeted via these C2 servers, especially through malware leveraging these infrastructures. Mitigation requires enhanced network monitoring for traffic to known malicious IPs, blocking suspicious outbound connections, and collaboration with threat intelligence providers. Countries with strong trade and technological ties to China, and those with significant cloud and ISP usage overlapping with these providers, are at higher risk. Given the broad impact on confidentiality, integrity, and availability, ease of exploitation via these C2 servers, and no authentication needed for victim compromise, this threat is assessed as high severity.
AI Analysis
Technical Summary
The threat analysis focuses on a large-scale malware command-and-control (C2) infrastructure embedded within China's hosting ecosystem, comprising over 18,000 active C2 servers distributed among 48 major ISPs and cloud providers. China Unicom is the dominant host, accounting for nearly 50% of these servers, followed by Alibaba Cloud and Tencent. The C2 infrastructure supports a variety of malware families, including Mozi, ARL, and Cobalt Strike, which are known for their use in both cybercriminal activities and state-sponsored advanced persistent threat (APT) campaigns. The infrastructure facilitates multiple malicious operations such as remote access trojans (RATs), cryptomining, and sophisticated APT tooling. Notably, high-trust networks like China169 Backbone and CERNET are exploited, indicating that attackers leverage trusted network segments to enhance resilience and evade detection. The analysis highlights a host-centric approach that reveals long-running abuse patterns and infrastructure reuse, which complicates mitigation efforts but also offers opportunities for improved detection through pattern recognition. Although the CVE-2025-8110 vulnerability is referenced, no known exploits are currently active in the wild. The threat landscape is characterized by a high volume of C2 activity (84%) and significant phishing operations (13%), underscoring the multifaceted nature of the threat. Indicators of compromise include multiple IP addresses linked to these C2 servers. The infrastructure's scale and diversity enable attackers to maintain persistent and resilient control over compromised systems, posing a substantial risk to global networks that interact with or are reachable from these Chinese-hosted servers.
Potential Impact
European organizations face considerable risk from this extensive C2 infrastructure due to potential malware infections that can lead to data breaches, espionage, ransomware deployment, and resource hijacking (e.g., cryptomining). The presence of state-linked APT tooling increases the likelihood of targeted attacks against critical infrastructure, government agencies, and key industries such as finance, telecommunications, and manufacturing. The exploitation of trusted networks in China to host these servers complicates attribution and response, potentially allowing attackers to maintain long-term persistence. Phishing campaigns supported by this infrastructure can facilitate initial access or credential theft, further amplifying risk. The broad distribution of C2 servers and malware families means that European networks with business or data exchange links to China or Chinese cloud providers may be exposed to indirect attacks or supply chain compromises. Additionally, the reuse of infrastructure across campaigns suggests that once an organization is compromised, it may be targeted repeatedly or used as a pivot point for further attacks. The lack of known active exploits for CVE-2025-8110 reduces immediate risk but does not eliminate the threat posed by the underlying infrastructure supporting these operations.
Mitigation Recommendations
European organizations should implement advanced network monitoring to detect and block traffic to the identified malicious IP addresses associated with the Chinese-hosted C2 servers. Deploying threat intelligence feeds that include these indicators will enhance detection capabilities. Network segmentation and strict egress filtering can limit outbound connections to suspicious destinations. Endpoint detection and response (EDR) solutions should be tuned to identify behaviors associated with malware families like Mozi, ARL, and Cobalt Strike, including lateral movement and command execution patterns. Organizations should conduct regular phishing awareness training and simulate phishing attacks to reduce the risk of credential compromise. Collaboration with national cybersecurity centers and information sharing platforms can provide timely updates on emerging threats linked to this infrastructure. Given the exploitation of high-trust networks, organizations should scrutinize inbound traffic from Chinese networks and consider geo-fencing or enhanced inspection for traffic originating from or destined to these regions. Incident response plans must include procedures for handling infections involving these malware families and C2 infrastructures. Finally, organizations should review and harden their supply chain security, especially when engaging with Chinese cloud providers or ISPs, to mitigate indirect exposure.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Belgium, Sweden, Finland
Indicators of Compromise
- ip: 202.120.234.163
- cve: CVE-2025-8110
- ip: 106.126.3.56
- ip: 106.126.3.78
- ip: 115.190.200.230
- ip: 117.72.242.9
- ip: 160.202.245.232
- ip: 185.245.35.68
- ip: 202.120.234.124
- ip: 23.177.185.39
- ip: 43.247.134.215
- ip: 45.155.220.44
- ip: 58.144.143.27
Inside China's Hosting Ecosystem: 18,000+ Malware C2 Servers Mapped Across Major ISPs
Description
An extensive analysis reveals over 18,000 active malware command-and-control (C2) servers hosted across 48 Chinese infrastructure providers, with China Unicom alone hosting nearly half. These C2 servers predominantly support malware families such as Mozi, ARL, and Cobalt Strike, facilitating both cybercrime and state-linked operations including RATs, cryptominers, and APT tools. High-trust Chinese networks like China169 Backbone and CERNET are exploited, indicating sophisticated infrastructure abuse. Although no known exploits are currently in the wild for CVE-2025-8110, the widespread presence of this infrastructure poses significant risks globally. European organizations could be targeted via these C2 servers, especially through malware leveraging these infrastructures. Mitigation requires enhanced network monitoring for traffic to known malicious IPs, blocking suspicious outbound connections, and collaboration with threat intelligence providers. Countries with strong trade and technological ties to China, and those with significant cloud and ISP usage overlapping with these providers, are at higher risk. Given the broad impact on confidentiality, integrity, and availability, ease of exploitation via these C2 servers, and no authentication needed for victim compromise, this threat is assessed as high severity.
AI-Powered Analysis
Technical Analysis
The threat analysis focuses on a large-scale malware command-and-control (C2) infrastructure embedded within China's hosting ecosystem, comprising over 18,000 active C2 servers distributed among 48 major ISPs and cloud providers. China Unicom is the dominant host, accounting for nearly 50% of these servers, followed by Alibaba Cloud and Tencent. The C2 infrastructure supports a variety of malware families, including Mozi, ARL, and Cobalt Strike, which are known for their use in both cybercriminal activities and state-sponsored advanced persistent threat (APT) campaigns. The infrastructure facilitates multiple malicious operations such as remote access trojans (RATs), cryptomining, and sophisticated APT tooling. Notably, high-trust networks like China169 Backbone and CERNET are exploited, indicating that attackers leverage trusted network segments to enhance resilience and evade detection. The analysis highlights a host-centric approach that reveals long-running abuse patterns and infrastructure reuse, which complicates mitigation efforts but also offers opportunities for improved detection through pattern recognition. Although the CVE-2025-8110 vulnerability is referenced, no known exploits are currently active in the wild. The threat landscape is characterized by a high volume of C2 activity (84%) and significant phishing operations (13%), underscoring the multifaceted nature of the threat. Indicators of compromise include multiple IP addresses linked to these C2 servers. The infrastructure's scale and diversity enable attackers to maintain persistent and resilient control over compromised systems, posing a substantial risk to global networks that interact with or are reachable from these Chinese-hosted servers.
Potential Impact
European organizations face considerable risk from this extensive C2 infrastructure due to potential malware infections that can lead to data breaches, espionage, ransomware deployment, and resource hijacking (e.g., cryptomining). The presence of state-linked APT tooling increases the likelihood of targeted attacks against critical infrastructure, government agencies, and key industries such as finance, telecommunications, and manufacturing. The exploitation of trusted networks in China to host these servers complicates attribution and response, potentially allowing attackers to maintain long-term persistence. Phishing campaigns supported by this infrastructure can facilitate initial access or credential theft, further amplifying risk. The broad distribution of C2 servers and malware families means that European networks with business or data exchange links to China or Chinese cloud providers may be exposed to indirect attacks or supply chain compromises. Additionally, the reuse of infrastructure across campaigns suggests that once an organization is compromised, it may be targeted repeatedly or used as a pivot point for further attacks. The lack of known active exploits for CVE-2025-8110 reduces immediate risk but does not eliminate the threat posed by the underlying infrastructure supporting these operations.
Mitigation Recommendations
European organizations should implement advanced network monitoring to detect and block traffic to the identified malicious IP addresses associated with the Chinese-hosted C2 servers. Deploying threat intelligence feeds that include these indicators will enhance detection capabilities. Network segmentation and strict egress filtering can limit outbound connections to suspicious destinations. Endpoint detection and response (EDR) solutions should be tuned to identify behaviors associated with malware families like Mozi, ARL, and Cobalt Strike, including lateral movement and command execution patterns. Organizations should conduct regular phishing awareness training and simulate phishing attacks to reduce the risk of credential compromise. Collaboration with national cybersecurity centers and information sharing platforms can provide timely updates on emerging threats linked to this infrastructure. Given the exploitation of high-trust networks, organizations should scrutinize inbound traffic from Chinese networks and consider geo-fencing or enhanced inspection for traffic originating from or destined to these regions. Incident response plans must include procedures for handling infections involving these malware families and C2 infrastructures. Finally, organizations should review and harden their supply chain security, especially when engaging with Chinese cloud providers or ISPs, to mitigate indirect exposure.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://hunt.io/blog/china-hosting-malware-c2-infrastructure"]
- Adversary
- null
- Pulse Id
- 6968d7975512c0a199a5bc1f
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip202.120.234.163 | — | |
ip106.126.3.56 | — | |
ip106.126.3.78 | — | |
ip115.190.200.230 | — | |
ip117.72.242.9 | — | |
ip160.202.245.232 | — | |
ip185.245.35.68 | — | |
ip202.120.234.124 | — | |
ip23.177.185.39 | — | |
ip43.247.134.215 | — | |
ip45.155.220.44 | — | |
ip58.144.143.27 | — |
Cve
| Value | Description | Copy |
|---|---|---|
cveCVE-2025-8110 | — |
Threat ID: 696df551d302b072d9926058
Added to database: 1/19/2026, 9:11:45 AM
Last enriched: 1/19/2026, 9:26:18 AM
Last updated: 1/19/2026, 11:24:00 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Malicious Chrome Extension Crashes Browser in ClickFix Variant ‘CrashFix’
MediumVoidLink threat analysis: C2-compiled kernel rootkits discovered
MediumTargeted espionage leveraging geopolitical themes
MediumDecember 2025 Infostealer Trend Report
MediumOperation Poseidon: Spear-Phishing Attacks Abusing Google Ads Redirection Mechanisms
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.