Across China’s vast cloud and telecommunications networks, a dense web of command-and-control servers has quietly taken shape. New data shows how a small number of hosting providers and malware frameworks now underpin the bulk of observed malicious activity, blurring the lines between cybercrime, botnets, and state-linked operations.
A Concentration of Control in Shared Infrastructure
In recent months, researchers identified more than 18,000 active command-and-control (C2) servers operating across 48 different hosting providers within China. While the number of providers suggests diversity, the activity itself is highly concentrated. A small cluster of networks accounts for the majority of detections, creating what analysts describe as a shared infrastructure layer used by a wide range of threat actors.
China Unicom emerged as the single largest host of malicious infrastructure, accounting for nearly half of all observed C2 servers, with approximately 9,000 detections. Two major cloud platforms—Alibaba Cloud and Tencent—followed, each hosting roughly 3,300 C2 servers. Together, these three providers represented the majority of detected command-and-control activity during the three-month analysis period.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
Researchers noted that attackers appear drawn to these environments for practical reasons: rapid provisioning, high availability, and the ability to blend malicious traffic into otherwise legitimate cloud and telecom networks.
Malware Frameworks Reused at Scale
The data also points to a striking reuse of a small number of malware families and frameworks. The Mozi botnet dominated observed activity, with 9,427 unique C2 IP addresses—more than half of all detected command-and-control infrastructure. Other widely observed frameworks included the ARL framework, with 2,878 C2 endpoints, alongside tools associated with Cobalt Strike, VShell, and Mirai.
Cobalt Strike alone accounted for 1,204 detections, while VShell and Mirai rounded out the top five with 830 and 703 C2 servers, respectively. Researchers described this as evidence of repeated framework abuse, where tools originally designed for testing or specific attack types are repurposed across criminal and espionage campaigns alike.
Rather than deploying bespoke infrastructure for each operation, attackers appear to rely on stable, reusable frameworks that can be rapidly reconfigured as individual servers are taken down or rotated.
Cybercrime, Botnets, and Espionage Side by Side
Within these hosting environments, different categories of malicious activity coexist. Commodity remote-access trojans, phishing operations, botnet controllers, and more sophisticated advanced persistent threat (APT) tooling were all observed operating within the same provider networks.
Phishing infrastructure accounted for roughly 13 percent of detected threats, while malicious open directories and publicly exposed indicators of compromise together made up less than 4 percent. By contrast, command-and-control operations dominated the landscape, representing approximately 84 percent of all malicious activity observed during the study period.
This overlap complicates efforts to neatly separate cybercrime from state-linked espionage, as the same infrastructure can support financially motivated scams, large-scale botnets, and intelligence-gathering campaigns simultaneously.
Why Indicators Alone Fall Short
Traditional threat-hunting methods often focus on individual IP addresses or domain names. The findings suggest why that approach struggles to keep pace. Attackers frequently change surface-level indicators, while the underlying hosting relationships and infrastructure patterns remain intact.
By mapping malicious artifacts back to hosting providers and network operators, analysts were able to identify long-running abuse patterns that persist even as specific servers shift. The result is a picture of a threat ecosystem less defined by individual malware samples than by the durable infrastructure that sustains them.
