By rssfeeds-admin 
This widespread abuse highlights a serious issue: malicious infrastructure can hide within trusted networks and cloud services.
Traditional threat-hunting methods that focus on individual IP addresses or domain names often miss the broader picture because attackers continually change these indicators to evade detection.
The research reveals that these C2 servers account for approximately 84 percent of all malicious activity observed in Chinese hosting environments during the three-month analysis period.
Dominant Hosting Providers Targeted by Threat Actors
China Unicom emerged as the largest host of malicious infrastructure, accounting for nearly half of all observed C2 servers with approximately 9,000 detections.
Alibaba Cloud and Tencent each hosted around 3,300 C2 servers, showing that major cloud platforms are heavily targeted by threat actors who value their rapid provisioning and high availability.
These three providers alone represent the majority of detected malicious command-and-control infrastructure within China.
Hunt.io analysts identified this extensive infrastructure network using their Host Radar platform, which combines C2 detection, phishing identification, open directory scanning, and indicator extraction into a single intelligence system.
Rather than treating each malicious artifact in isolation, the platform maps these threats back to the hosting providers and network operators on which they reside.
This approach reveals persistent patterns of abuse even when individual IP addresses change frequently.
Phishing infrastructure accounts for around 13 percent of malicious activity, while malicious open directories and public indicators of compromise together represent less than 4 percent of detected threats.
This demonstrates that command-and-control operations dominate the threat landscape, with attackers preferring stable infrastructure that can coordinate ongoing campaigns across multiple targets.
The malware families operating through this infrastructure show clear patterns of repeated framework abuse.
The Mozi botnet dominates, with 9,427 unique C2 IP addresses, accounting for more than half of all observed command-and-control activity.
The ARL framework reports 2,878 C2 endpoints, indicating extensive misuse of post-exploitation and red-team tooling for malicious purposes.
Cobalt Strike appears with 1,204 detections, while Vshell and Mirai round out the top five with 830 and 703 C2 servers, respectively.
This concentration enables defenders to focus monitoring efforts on shared infrastructure patterns rather than on individual malware variants that continually evolve.
The data shows that cybercrime operations, botnet infrastructure, and state-linked espionage tools coexist within the same hosting environments.
Campaigns ranging from commodity remote access trojans to sophisticated APT operations leverage these providers, creating a complex threat ecosystem in which traditional indicator-based defenses struggle to remain effective.
Organizations must adopt infrastructure-focused detection strategies to effectively combat this persistent threat.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Chinese Threat Actors Operated 18,000 Active C2 Servers Across Global Hosting Providers appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.