Chinese infrastructure is currently hosting more than 18,000 active command‑and‑control (C2) servers across 48 providers, with activity heavily concentrated on a handful of major telecom and cloud networks in China.
This dense clustering of malware, phishing, and APT tooling on shared infrastructure shows why host‑centric telemetry is becoming critical for threat hunting, as indicator‑based approaches fail to capture how attackers repeatedly reuse the same networks at scale.
Chinese C2 Infrastructure At Scale
Recent analysis from Hunt.io identified over 18,000 active C2 servers operating within the Chinese IP space over a three‑month period, mapped to 48 distinct ISPs and hosting providers.
Across this dataset, 21,629 malicious artifacts were recorded, including more than 18,000 C2 servers, 2,837 phishing sites, 528 malicious open directories, and 134 public IOCs.
C2 infrastructure dominates the landscape, accounting for roughly 84% of all observed malicious artifacts, while phishing activity contributes about 13%, and open directories plus public IOCs together make up less than 4%.
This imbalance underscores how Chinese infrastructure is primarily abused for long‑term command‑and‑control and post‑exploitation operations rather than simple lure or hosting activity.
High‑Risk Providers and Malware Families
China Unicom appears as the most critical hotspot, with around 9,000–9,100 C2 servers detected over 90 days, representing nearly half of all observed C2 activity in the dataset.
Alibaba Cloud and Tencent each host approximately 3,300 C2 servers, showing that high‑capacity cloud platforms are systematically leveraged by threat actors for scalable, resilient infrastructure.
A small group of malware families drives most of this abuse, led by Mozi with 9,427 unique C2 IPs more than half of all C2 endpoints identified in China.
ARL follows with 2,878 C2s, while Cobalt Strike, Vshell, and Mirai account for hundreds more C2 servers each, combining commercial red‑team frameworks with IoT and commodity botnet tooling.
The concentration of C2 nodes in a handful of families shows that infrastructure‑level fingerprints are repeatable and framework‑driven, enabling defenders to track clusters even when individual IPs churn.
Concrete campaigns mapped to this infrastructure include Cobalt Strike beacons on major Chinese and regional providers, AsyncRAT and Vshell C2 nodes on commercial networks, and Mirai‑style botnet activity on smaller carriers supporting router and OT targeting.
High‑trust academic and backbone networks, such as CERNET and China Unicom’s China169, have been linked to botnet C2 and large‑scale browser extension abuse, demonstrating how attackers weaponize bandwidth‑rich environments once services are exposed.
The same infrastructure also supports state‑aligned activity, with APT operations like DarkSpectre, Silver Fox, and Gold Eye Dog coexisting alongside cryptominer deployments, phishing frameworks, and commodity RAT campaigns.
This overlap between cybercrime and espionage operations turns Chinese hosting ecosystems into shared staging grounds where different threat actors quietly reuse the same providers, complicating attribution and takedown efforts.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.