In just 90 days, cybersecurity researchers uncovered over 1,250 active command-and-control (C2) servers embedded across Russia’s commercial hosting ecosystem.
This isn’t just another spike in malicious activity—it’s a structural problem.
For CISOs and security teams, this raises a critical concern:
👉 What happens when legitimate hosting providers become a backbone for global cyberattacks?
In this deep dive, we break down:
- How large-scale C2 infrastructure operates
- Why attackers distribute it across providers
- The malware campaigns driving this activity
- Practical steps to reduce exposure
What Are C2 Servers and Why They Matter
A command-and-control (C2) server is the central nervous system of a cyberattack.
Core Functions:
- Sends instructions to infected systems
- Receives stolen data
- Manages botnets and malware campaigns
Without C2 infrastructure, most modern attacks—ransomware, infostealers, botnets—cannot operate effectively.
The Scale of the Threat: 1,250+ C2 Servers
Between January and April 2026:
- 1,250+ active C2 servers identified
- Spread across 165 hosting providers
- Total malicious artifacts observed: ~1,290
Activity Breakdown
| Category | Percentage | Volume |
|---|---|---|
| C2 Servers | 88.6% | 1,252 |
| Open Directories | 5.3% | ~68 |
| Phishing Sites | 4.9% | ~63 |
| Indicators of Compromise | 1.2% | ~15 |
Why Distribution Matters
Instead of centralizing infrastructure, attackers:
- Spread assets across hundreds of providers
- Use shared hosting and VPS environments
- Blend into legitimate traffic patterns
Result:
Blocking becomes harder, takedowns slower, and detection more complex.
Top Hosting Providers by C2 Activity
The data highlights a concentration of activity among key providers:
- TimeWeb — 311 C2 servers
- WebHost1 — 140
- REG.RU — 138
- VDSina — 86
- PROSPERO OOO — 80
Security Insight
Focusing detection and blocking strategies on high-volume providers can significantly reduce attack surface.
Malware Families Powering the Infrastructure
1. Keitaro (Traffic Distribution System)
- 587 C2 IPs
- Redirects victims to malware payloads
- Common in malvertising and phishing chains
2. IoT Botnets: Hajime, Mozi, Mirai
- Exploit vulnerable routers and edge devices
- Maintain persistent, distributed control networks
Risk:
Unmanaged IoT devices become entry points into enterprise environments.
3. Offensive Frameworks Turned Malicious
Legitimate tools repurposed:
- Tactical RMM (87 endpoints)
- Cobalt Strike variants
- Sliver
- Ligolo-ng
Trend:
Attackers increasingly weaponize red-team tools to evade detection.
4. Phishing & Reconnaissance Tools
Detected tools include:
- Acunetix
- Interactsh
- Gophish
These support:
- Credential harvesting
- Vulnerability scanning
- Initial access operations
Real-World Attack Campaigns
ClickFix Campaign (TimeWeb)
- Fake CAPTCHA prompts
- Trick users into executing PowerShell commands
- Deploys Latrodectus malware
SmartApeSG Campaign
- Hosted on compromised infrastructure
- Delivers Remcos RAT
- Uses DLL sideloading for persistence
UAC-0252 Campaign
- Impersonates government entities
- Exploits WinRAR vulnerability (CVE-2025-8088)
- Deploys:
- SHADOWSNIFF
- SALATSTEALER
BoryptGrab Infostealer Operation
- Abuses 100+ GitHub repositories
- Uses SEO manipulation
- Targets developer ecosystems
Lumma Stealer Campaign
- Uses Google Groups redirect chains
- Targets Windows & Linux systems
- Delivers credential-stealing payloads
Why This Infrastructure Is Hard to Stop
1. Legitimate Hosting Abuse
Attackers operate within:
- Commercial hosting providers
- Shared environments
- Trusted ASNs
2. High Distribution
- 165 providers involved
- Constant rotation of IPs
3. Multi-Purpose Infrastructure
Supports:
- Phishing
- Malware delivery
- Data exfiltration
- Botnet control
4. Blending with Normal Traffic
C2 traffic often mimics:
- HTTPS traffic
- API calls
- Cloud service interactions
Common Mistakes Organizations Make
❌ Focusing Only on File-Based Indicators
- Ignoring infrastructure-level signals
❌ Lack of Outbound Traffic Monitoring
- Not inspecting connections to high-risk regions
❌ Ignoring IoT & Edge Devices
- Leaving routers and embedded systems unmonitored
❌ Overlooking Legitimate Tool Abuse
- Trusting tools like Cobalt Strike or RMM platforms blindly
Best Practices to Mitigate C2-Based Threats
1. Monitor Outbound Network Traffic
Focus on:
- Connections to high-risk ASNs
- Repeated beaconing patterns
- Suspicious DNS activity
2. Apply Threat Intelligence at Infrastructure Level
Go beyond hashes:
- Track IP clusters
- Monitor hosting providers
- Use enriched IOC feeds
3. Restrict Script-Based Execution Chains
Block risky patterns like:
- curl → PowerShell
- CAPTCHA-triggered commands
4. Secure IoT and Edge Devices
- Patch firmware regularly
- Segment networks
- Monitor unusual traffic
5. Implement Zero Trust Architecture
- Verify all connections
- Enforce least privilege
- Continuously monitor behavior
6. Enhance Detection Capabilities
Ensure your EDR/XDR can detect:
- Beaconing activity
- Command execution anomalies
- Lateral movement
Frameworks & Standards Alignment
MITRE ATT&CK
| Technique | ID |
|---|---|
| Command and Control | TA0011 |
| Exfiltration | TA0010 |
| Phishing | T1566 |
| Remote Access Tools | T1219 |
NIST Cybersecurity Framework
- Identify: Map infrastructure dependencies
- Detect: Monitor network anomalies
- Respond: Block C2 communications
ISO 27001
- A.13 – Network security
- A.12 – Logging and monitoring
- A.16 – Incident management
Expert Insight: The Bigger Picture
This isn’t just about Russia or specific providers.
It’s about a shift in attacker strategy:
Infrastructure—not malware—is becoming the primary battleground.
Key Implications
- Attackers prioritize resilience over stealth alone
- Distributed infrastructure ensures operational continuity
- Defensive strategies must evolve to focus on network intelligence
FAQs
1. What is a C2 server?
A system used by attackers to control infected devices and manage cyberattacks.
2. Why are C2 servers distributed across providers?
To avoid detection, increase resilience, and prevent single points of failure.
3. How can organizations detect C2 traffic?
By analyzing outbound traffic, DNS patterns, and behavioral anomalies.
4. Are legitimate hosting providers responsible?
Not necessarily—attackers abuse open and scalable infrastructure.
5. Why are IoT botnets still relevant?
They provide large, distributed networks for persistent control and attacks.
Conclusion
The discovery of 1,250+ C2 servers across 165 providers signals a major evolution in cyber threats.
Key Takeaways
- Infrastructure is the new attack surface
- Distribution increases resilience for attackers
- Detection must move beyond endpoints to networks
Organizations that fail to monitor and control outbound communication risk becoming silent participants in global attack chains.
Now is the time to shift your strategy—from reactive detection to proactive infrastructure intelligence.
