Report Details Scale Of Malware Infrastructure Embedded In Chinese Hosting, Over 18,000 Active C2 Servers Detected

A sprawling and largely invisible cyber ecosystem has been uncovered across China’s cloud and telecom infrastructure, where more than 18,000 active command-and-control (C2) servers are quietly sustaining global malware operations. The findings highlight how modern cybercrime no longer relies on isolated servers, but on deeply embedded, scalable infrastructure that blends seamlessly into legitimate networks.

A Concentration of Control in Shared Infrastructure

Researchers tracking malicious activity across 48 hosting providers found that control is highly concentrated within a small number of networks. China Unicom alone accounted for nearly half of all detected C2 servers, with around 9,000 active endpoints. Alibaba Cloud and Tencent followed, each hosting roughly 3,300 C2 servers during the analysis period.

The appeal of these environments is clear: rapid deployment, reliable uptime, and massive volumes of legitimate traffic that help malicious activity evade detection. For defenders, this creates a challenge similar to auditing vast financial systems without visibility-much like the risks organisations face without disciplined record-keeping frameworks such as bookkeeping services in india, where gaps can allow long-term issues to remain hidden.

Malware Frameworks Reused at Scale

Rather than deploying unique infrastructure for every campaign, attackers are repeatedly reusing a small set of proven malware frameworks. The Mozi botnet dominated the landscape, accounting for more than 9,400 unique C2 servers-over half of all detections. Other widely abused frameworks included ARL, Cobalt Strike, VShell, and Mirai.

This heavy reuse indicates operational maturity. When servers are taken down, replacements are spun up quickly using the same tooling, allowing campaigns to persist with minimal disruption.

Cybercrime, Botnets, and Espionage Side by Side

One of the most concerning findings is the convergence of different threat types within the same hosting environments. Phishing campaigns, botnet controllers, commodity malware, and advanced espionage tooling were all observed operating alongside each other.

Command-and-control infrastructure made up roughly 84% of all malicious activity detected, while phishing accounted for about 13%. This overlap makes it increasingly difficult to distinguish between financially motivated cybercrime and state-linked operations based on infrastructure alone.

Why Indicators Alone Fall Short

Traditional defence strategies often focus on blocking individual IP addresses or domains. However, attackers now rotate these surface-level indicators frequently, while the underlying hosting relationships remain stable.

By analysing infrastructure patterns instead of isolated indicators, researchers were able to identify long-running abuse clusters that persist over time. The findings suggest that effective defence requires a shift toward understanding systemic infrastructure misuse, rather than chasing constantly changing technical details.