Inside China's Hosting Ecosystem: 18,000+ Malware C2 Servers Mapped Across Major ISPs
Summary:
A recent analysis of China’s hosting ecosystem reveals a massive consolidation of malicious infrastructure, with over 18,000 active C2 servers identified across 48 Chinese service providers in a three-month window ending January 2026. Approximately 84% of detected malicious artifacts were C2 servers, with China Unicom hosting nearly half (over 9,100) of these nodes, followed by Alibaba Cloud and Tencent. The threat landscape is dominated by the Mozi IoT botnet, which accounts for over 50% of the activity, though APT actors and commodity malware operators also heavily leverage this high-bandwidth infrastructure. Notable APT activity includes BRONZE HIGHLAND (Evasive Panda) utilizing infrastructure in Quanzhou for MgBot deployment, Gold Eye Dog (APT-Q-27) exploiting legitimate cloud services like AWS S3 in conjunction with Tencent hosting to deliver certificate-signed backdoors, and Silver Fox targeting Indian entities with Valley RAT. Technical vectors observed range from the exploitation of the React2Shell vulnerability and a Gogs zero-day (CVE-2025-8110) to deploy Supershell C2, to the widespread use of Cobalt Strike and Viper frameworks for post-exploitation activity.
Security Officer Comments:
This concentration of state-linked espionage, such as the DarkSpectre campaign on the China169 Backbone, alongside automated cybercrime on major cloud providers, highlights that high-trust networks are routinely co-opted for global operations. This sheltering dynamic complicates attribution and remediation, as malicious C2 nodes are co-located with legitimate business traffic on some of the world's largest backbones. China Unicom is the primary engine of this ecosystem, hosting nearly 50% of all observed C2 servers. Alibaba Cloud and Tencent are the preferred platforms for phishing infrastructure and short-lived attack staging. Tencent’s footprint is particularly diverse, hosting a high volume of open directories and phishing sites.
The compromise of CERNET (China Education and Research Network Center) by botnets like RondoDox and React2Shell exploiters highlights that attackers are taking advantage of academic networks to blend in with trusted traffic and bypass organizations’ filters that block traffic from known abused China-based commercial giants (China Unicom) or bulletproof service providers (Cat Technologies Co. Limited). The resilience of a multi-cloud approach is demonstrated by APT-Q-27's combination of domestic Tencent hosting and legitimate AWS S3 buckets to deliver certificate-signed backdoors. IOC-based blocking (individual IPs) is ineffective due to the sheer volume and rotation of assets within these ASNs. Intelligence teams must profile the infrastructure providers and specific subnets utilized by these actors and prioritize detecting the C2 communication protocols of the Mozi, Cobalt Strike, and Viper frameworks.
Suggested Corrections:
Network Filtering and Analysis
https://hunt.io/blog/china-hosting-malware-c2-infrastructure
A recent analysis of China’s hosting ecosystem reveals a massive consolidation of malicious infrastructure, with over 18,000 active C2 servers identified across 48 Chinese service providers in a three-month window ending January 2026. Approximately 84% of detected malicious artifacts were C2 servers, with China Unicom hosting nearly half (over 9,100) of these nodes, followed by Alibaba Cloud and Tencent. The threat landscape is dominated by the Mozi IoT botnet, which accounts for over 50% of the activity, though APT actors and commodity malware operators also heavily leverage this high-bandwidth infrastructure. Notable APT activity includes BRONZE HIGHLAND (Evasive Panda) utilizing infrastructure in Quanzhou for MgBot deployment, Gold Eye Dog (APT-Q-27) exploiting legitimate cloud services like AWS S3 in conjunction with Tencent hosting to deliver certificate-signed backdoors, and Silver Fox targeting Indian entities with Valley RAT. Technical vectors observed range from the exploitation of the React2Shell vulnerability and a Gogs zero-day (CVE-2025-8110) to deploy Supershell C2, to the widespread use of Cobalt Strike and Viper frameworks for post-exploitation activity.
Security Officer Comments:
This concentration of state-linked espionage, such as the DarkSpectre campaign on the China169 Backbone, alongside automated cybercrime on major cloud providers, highlights that high-trust networks are routinely co-opted for global operations. This sheltering dynamic complicates attribution and remediation, as malicious C2 nodes are co-located with legitimate business traffic on some of the world's largest backbones. China Unicom is the primary engine of this ecosystem, hosting nearly 50% of all observed C2 servers. Alibaba Cloud and Tencent are the preferred platforms for phishing infrastructure and short-lived attack staging. Tencent’s footprint is particularly diverse, hosting a high volume of open directories and phishing sites.
The compromise of CERNET (China Education and Research Network Center) by botnets like RondoDox and React2Shell exploiters highlights that attackers are taking advantage of academic networks to blend in with trusted traffic and bypass organizations’ filters that block traffic from known abused China-based commercial giants (China Unicom) or bulletproof service providers (Cat Technologies Co. Limited). The resilience of a multi-cloud approach is demonstrated by APT-Q-27's combination of domestic Tencent hosting and legitimate AWS S3 buckets to deliver certificate-signed backdoors. IOC-based blocking (individual IPs) is ineffective due to the sheer volume and rotation of assets within these ASNs. Intelligence teams must profile the infrastructure providers and specific subnets utilized by these actors and prioritize detecting the C2 communication protocols of the Mozi, Cobalt Strike, and Viper frameworks.
Suggested Corrections:
Network Filtering and Analysis
- ASN Blocking/Risk Scoring: Block or heavily scrutinize traffic to/from China Unicom (ASN 4837, 4808), China Telecom (ASN 4134), Tencent, and Alibaba Cloud. Treat traffic from Chinese academic networks (CERNET) with equal suspicion due to high abuse rates.
- Protocol Hardening: Block outbound SSH (Port 22) from web/DMZ servers to stop Supershell C2 and reverse tunnels. Block cryptomining stratum ports (e.g., XMRig) to mitigate React2Shell exploitation.
- C2 Detection: Tune IDS/IPS and JARM signatures to detect Cobalt Strike and Viper framework beacons, focusing on unencrypted/malleable C2 patterns rather than just IP reputation.
- Patch CVE-2025-8110 (Gogs): Immediately patch or isolate Gogs Git instances to prevent automated RCE and C2 deployment.
- Hardening Web Assets: Tune WAFs to block command injection attempts (targeting React2Shell) and restrict external access to IoT management interfaces to thwart Mozi/Mirai botnets.
- Extension & Binary Auditing: Audit and restrict browser extensions to block DarkSpectre spyware. Monitor for binaries—even validly signed ones—connecting to public cloud storage (AWS S3, Tencent), a tactic of Gold Eye Dog (APT-Q-27).
- Malware Behavioral Rules: Implement detection for lateral movement and persistence mechanisms (scheduled tasks, registry keys) associated with Valley RAT, MgBot, and AsyncRAT.
- Infrastructure Pivoting: Hunt for long-duration connections to Chinese hosting providers (including Wowrack, Hubei Feixun, Beijing Volcano Engine) that deviate from business hours.
- Phishing Awareness: flag SMS and email lures featuring "Income Tax" or "Traffic Fine" themes (specifically targeting Indian demographics), utilized by Silver Fox and other groups.
https://hunt.io/blog/china-hosting-malware-c2-infrastructure