{
  "name": "Inside China's Hosting Ecosystem: 18,000+ Malware C2 Servers Mapped Across Major ISPs",
  "slug": "inside-chinas-hosting-ecosystem-18000-malware-c2-servers-mapped-across-major-isps",
  "description": "An analysis of Chinese hosting environments reveals over 18,000 active command-and-control (C2) servers distributed across 48 infrastructure providers. C2 infrastructure dominates malicious activity at 84%, followed by phishing at 13%. China Unicom hosts nearly half of all observed C2 servers, with Alibaba Cloud and Tencent following. A small set of malware families, including Mozi, ARL, and Cobalt Strike, accounts for most C2 activity. The infrastructure supports both cybercrime and state-linked operations, with RATs, cryptominers, and APT tooling coexisting. High-trust networks like China169 Backbone and CERNET are actively exploited. This host-centric approach exposes long-running abuse patterns and infrastructure reuse across campaigns, enabling more resilient threat detection and mitigation strategies.",
  "published": "2026-01-15T11:03:35+00:00",
  "created_at": "2026-01-15T11:03:35+00:00",
  "modified_at": "2026-01-19T08:29:00+00:00",
  "created_at_opencti": "2026-01-15T11:03:35+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-01-15",
    "CVE-2025-8110",
    "apt",
    "arl",
    "asyncrat",
    "china",
    "cloud providers",
    "cobalt strike",
    "command and control",
    "cybercrime",
    "infrastructure",
    "isps",
    "l3mon",
    "malware",
    "mgbot",
    "mirai",
    "mozi",
    "nanocore",
    "rondodox",
    "supershell",
    "valley rat",
    "vshell",
    "xmrig"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "185.245.35.68"
      },
      {
        "id": "",
        "name": "58.144.143.27"
      },
      {
        "id": "",
        "name": "115.190.200.230"
      },
      {
        "id": "",
        "name": "106.126.3.78"
      },
      {
        "id": "",
        "name": "45.155.220.44"
      },
      {
        "id": "",
        "name": "160.202.245.232"
      },
      {
        "id": "",
        "name": "23.177.185.39"
      },
      {
        "id": "",
        "name": "117.72.242.9"
      },
      {
        "id": "",
        "name": "202.120.234.124"
      },
      {
        "id": "",
        "name": "43.247.134.215"
      },
      {
        "id": "",
        "name": "202.120.234.163"
      },
      {
        "id": "",
        "name": "106.126.3.56"
      }
    ],
    "malware": [
      {
        "id": "a8cd08c4-1042-43fa-9930-edc1c382e51e",
        "name": "Valley RAT",
        "slug": "valley-rat"
      },
      {
        "id": "5fdcf97f-0489-477b-a5df-c662e5fc5579",
        "name": "Mirai",
        "slug": "mirai"
      },
      {
        "id": "legacy:malware:a7e1a2d6a1cfd5a9",
        "name": "RondoDox",
        "slug": "rondodox"
      },
      {
        "id": "legacy:malware:92904e2c306fc6ca",
        "name": "NanoCore - S0336",
        "slug": "nanocore-s0336"
      },
      {
        "id": "legacy:malware:fda7587f7b718c48",
        "name": "Starloader - S0188",
        "slug": "starloader-s0188"
      },
      {
        "id": "ab138766-9b64-4880-87fb-1942a709d778",
        "name": "Cobalt Strike - S0154",
        "slug": "cobalt-strike-s0154"
      },
      {
        "id": "f200fb60-5446-493f-9712-9f26d65956cc",
        "name": "AsyncRAT",
        "slug": "asyncrat"
      },
      {
        "id": "legacy:malware:12633bc6a577fa0b",
        "name": "Mozi",
        "slug": "mozi"
      },
      {
        "id": "legacy:malware:f578e033046d5f35",
        "name": "Supershell",
        "slug": "supershell"
      },
      {
        "id": "legacy:malware:cfc85126b5c9f95a",
        "name": "MgBot",
        "slug": "mgbot"
      },
      {
        "id": "legacy:malware:0ebfbc61f8774ca4",
        "name": "L3MON",
        "slug": "l3mon"
      },
      {
        "id": "legacy:malware:f5ad0dfc2e127b74",
        "name": "Vshell",
        "slug": "vshell"
      },
      {
        "id": "legacy:malware:83adebc6ef4eb478",
        "name": "XMRig",
        "slug": "xmrig"
      }
    ],
    "attack_patterns": [
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "c12e0e03-aab0-4646-a929-e921a3d27f02",
        "name": "T1219"
      },
      {
        "id": "b9eab970-53dd-4977-9a26-c4fe566e422d",
        "name": "T1133"
      },
      {
        "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed",
        "name": "T1113"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2025-8110"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "India"
      },
      {
        "id": "",
        "name": "British Indian Ocean Territory"
      },
      {
        "id": "",
        "name": "China"
      },
      {
        "id": "",
        "name": "Finance"
      },
      {
        "id": "",
        "name": "Education"
      },
      {
        "id": "",
        "name": "Telecommunications"
      },
      {
        "id": "",
        "name": "Government and administrations"
      },
      {
        "id": "",
        "name": "Technologies"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/6968d7975512c0a199a5bc1f",
    "https://hunt.io/blog/china-hosting-malware-c2-infrastructure"
  ]
}