Number of command-and-control servers spiked in 2022: report

The number of unique command-and-control servers (C2) increased 30% in 2022, an indication that cybercriminals and nation-state hackers are increasingly using the machines to carry out attacks.

A command-and-control server is a computer that sends orders to devices that have been infected with malware or other tools. The servers are typically used to create networks of infected devices that can launch attacks, encrypt data and more.

Researchers from Recorded Future said in a report published Thursday that they detected more than 17,000 of the servers in 2022, up from 13,629 the year before. The list was dominated by Cobalt Strike team servers, botnet families including IcedID and QakBot, and popular remote access trojans such as PlugX – which is used by Chinese government hackers. The Record is an editorially independent unit of Recorded Future.

The researchers said botnet malware, mainly Emotet and QakBot, continued to expand C2 infrastructure and remained prevalent throughout the year.

The report notes that the largest hosting providers, especially Shenzhen Tencent Computer Systems in China and DigitalOcean in the United States, continue to have the most C2 server observations. For the first time, China overtook the U.S. as the top country based on volume for C2 server hosting.

In total, Recorded Future found C2 infrastructure on 1,419 hosting providers across 116 different countries.

China had more than 4,000 C2 servers, while the U.S. was second with 3,928 and Hong Kong third with 1,451. These three countries alone accounted for 55% of all detected C2 servers.

Most server infrastructure is acquired either through compromise or through legitimate purchases before it can be used maliciously. Popular tools like Cobalt Strike — which Recorded Future said was "clearly the preferred offensive security tool for an array of actors" — can be used legitimately by red teams trying to test corporate networks, but can be abused by criminal and nation-state hackers.

"Cobalt Strike is so prevalent because it is easy to use, has a wide range of capabilities, is pretty flexible, people (both threat actors and red teamers) have just gotten used to it, and is still somehow difficult to detect and remove," said Recorded Future researcher Julian-Ferdinand Vögele.

One trend that stood out most to the researchers is the continued use of PlugX, despite Chinese threat groups creating a successor, called ShadowPad. Though ShadowPad has been increasingly adopted by multiple Chinese state-sponsored groups, PlugX is still very popular among threat groups based in China.

Recorded Future experts tied a campaign of attacks on Indian electricity infrastructure to Chinese threat actors because of the use of Shadowpad malware and its popularity among “ever–increasing number of People’s Liberation Army (PLA) and Ministry of State Security (MSS)-linked groups, with its origins linked to known MSS contractors first using the tool in their own operations and later likely acting as a digital quartermaster.”

PlugX, meanwhile, has been the tool of choice for China-based threat actors over the past decade, with a builder for an earlier PlugX variant leaked publicly in 2015, Recorded Future said. “This indicates that PlugX usage is likely less-closely controlled compared to ShadowPad, which is likely privately sold to a limited set of Chinese state-sponsored threat actors.”

Researchers also noted that while they are not as prevalent as they were in 2021, multiple botnets are active including Emotet, IcedID, QakBot, Dridex, and TrickBot – all of which were in the C2 top 20 list. 

There was actually an increase in botnet activity after law enforcement agencies around the world took down Emotet in January 2021. The botnet returned in late 2021 in coordination with the Conti ransomware operation, according to Recorded Future. 

There was a major spike in May 2022, with Emotet C2s growing to over 1,200. They noted that multiple security companies have attributed the spike to the increased spread of the Emotet malware through malicious Microsoft Office documents. Proofpoint said Emotet is distributing “hundreds of thousands” of phishing emails a day in November.

Recorded Future predicted that for 2023, Cobalt Strike and botnets will continue to dominate the C2 lists.