The State of Cybercrime: How C2 Servers Fuel the Global Threat
Experts at Censys have released their State of the Internet 2025 report, focusing on the infrastructure of cybercriminals—specifically Command-and-Control (C2) servers and other tools used to coordinate attacks and maintain access to compromised systems.
C2 servers function as centralized hubs, enabling remote control over infected machines, the delivery of commands, data collection, and sustained communication within botnets. Researchers also highlight the growing exploitation of compromised home routers and office networking devices as traffic proxies, a tactic that allows groups such as Volt Typhoon to better disguise their operations.
Over the six-month period from December 2024 to May 2025, Censys observed an average of 2,906 active malware instances at each data point. The peak occurred in mid-December, followed by a 14% decline in January—driven primarily by reduced Cobalt Strike activity in China. Originally created as a penetration-testing framework, Cobalt Strike has, over the past decade, become one of the most pervasive attack kits, offering not only C2 capabilities but also a broad arsenal of post-exploitation functions. Despite a series of international takedown operations, Cobalt Strike remains dominant, accounting for 34% of all detected C2 infrastructure.
Closely following are Viper and Sliver, responsible for 15% and 13% respectively. Both are openly available projects that serve as free alternatives to commercial Cobalt Strike, making them attractive to malicious actors. Of particular interest is the evolving activity of PlugX, a remote access trojan actively deployed by China-linked groups such as APT41 and Mustang Panda.
Between December and May, PlugX activity showed an overall decline, briefly interrupted by a spike in April. The drop is largely attributed to a U.S. Department of Justice operation, which removed approximately 4,258 infected systems across the country through nine court-authorized takedowns. The last order expired in January 2025, marking the end of the American phase of this major international crackdown.
Geographically, the highest concentration of malicious infrastructure was found in China and the United States, which together accounted for 55% of all detections. In total, compromised systems were identified in 62 countries. The top ten also included Hong Kong, the Netherlands, Singapore, Germany, Russia, Japan, the United Kingdom, and Canada.
Researchers emphasize that these distributions are more strongly influenced by hosting-provider policies and availability than by political motives. The most frequently implicated providers include China’s Alibaba and Tencent, alongside U.S.-based Cologix. Also ranking in the top tier are Digital Ocean, Vultr, Colocrossing, Amazon, Microsoft, and Huawei Cloud.
Yet some malware families, like PlugX, display markedly different distribution patterns, favoring smaller or less mainstream networks. Notably, the U.S. provider XNNET recorded the highest number of PlugX-related incidents, followed by Hong Kong’s Cloudie and Thailand’s CAT Telecom. This suggests that certain campaigns deliberately select niche infrastructure to enhance stealth and resilience against takedowns.
In sum, the Censys findings underscore that despite mounting international pressure, the internet still harbors a significant volume of active C2 servers. China and the United States remain the principal hotspots, while tools like Cobalt Strike continue to play a central role in the arsenals of cybercrime groups. At the same time, the study of less ubiquitous families such as PlugX provides valuable insight into the subtler strategies of distribution and the enduring resilience of adversarial infrastructure.
