##### CYBER

 THREAT

### By Insikt Group®

##### ANALYSIS

January 9, 2024

# 2023 Adversary Infrastructure Report


-----

All data in this report was sourced from the Recorded Future® Intelligence Cloud and is current as of
November 29, 2023.

## Executive Summary

The prediction in our 2022 assessment that threat actors would continue the adoption of established
tooling, as well as commodity and open-source tools, was correct. Actors across the spectrum are
using tools like command-and-control (C2) frameworks, anonymization networks, remote monitoring
and management software, and legitimate internet service proxies as a matter of course. We
specifically note trends in Russian and Chinese state-sponsored malicious infrastructure, where the use
of anonymization networks and legitimate internet services is increasing. Since such tools allow
malicious activity to blend in and make attribution more difficult, we suggest network defenders
examine and improve their capabilities in detecting and stopping attacks.

The top offensive security tools observed this year include Cobalt Strike, Viper, and Meterpreter.
Remote access tools (RATs) topping the list this year are AsyncRAT, QuasarRAT, PlugX, ShadowPad,
and DarkComet.

We share this information for others to consider when evaluating their own threat models, to allow other
researchers to corroborate their data, and to assist the community in seeing a better overall picture of
the state of malicious infrastructure for 2023. We believe that this information can help guide updates
to risk assessments, drive security control decisions, and lead to a better understanding of the overall
cyber threat landscape.

We foresee the continuing use of government takedowns of malicious infrastructure, with varying
degrees of impact. These actions do make criminal operations more difficult and are worth undertaking.
We also believe that there will be increasing adoption of legitimate internet services, anonymization
proxies, and other tools that allow attackers to blend into the victim’s environment and make attribution
difficult. We also expect to see a steady adoption of artificial intelligence by a variety of threat actors to
better automate their operations and increase efficiency in other ways.

Countering some of these threats may entail difficult decisions. For example, organizations concerned
about the use of legitimate internet services as malicious infrastructure should minimally create a
baseline of the services seen on their network and tune their current security controls to the extent
possible. More advanced security measures, such as decrypting and monitoring TLS traffic, may be
required to truly combat this threat, but organizations must also consider the privacy implications, costs
of implementation, and potential impacts on network systems and productivity.

## Key Findings

  - Open-source and commodity malware C2s continue to lead the way in terms of infrastructure
server numbers.

Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group


-----

- Despite many contenders for the title, Cobalt Strike remains the top C2 framework by a wide
margin.

- RedLine Stealer and Raccoon Stealer are the clear leaders among infostealer C2s in 2023 as far
as the volume of C2 servers, despite a hiatus of several months for Raccoon Stealer.

- Takedowns of malicious infrastructure, such as the recent dissolution of the QakBot network, are
effective ways of adding friction to malicious operations.

- Russian state-sponsored actors are continuing to add legitimate internet services to their
repertoire. They also update their C2 infrastructure with a rapid cadence, making changes
weekly or even daily.

- China state-sponsored actors are increasingly using anonymization networks constructed of
compromised IoT systems, routers, and other devices. Multiple China-affiliated entities have
been observed sharing the use of these networks.

Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group


-----

## Background

One of Recorded Future's key responsibilities involves promptly identifying and sharing information
about newly established malicious servers by creating detections for malicious infrastructure. Detecting
malicious infrastructure enables security operations teams to promptly alert, block, and address
potential threats, ultimately thwarting successful attacks. However, there are other benefits: we can use
this data to learn more about the attackers and their methods, estimate the number of attacks for
campaigns, discover changes in the infrastructure as they happen, and even investigate connections
between the malicious network nodes and potential victims.

Based on the data we collect, we can compare our known knowledge of malicious infrastructure with
public intrusions related to those malware families and assess how many events remain unknown in the
public domain. We can also measure the tempo of server creation, which may provide insight into future
activity levels.

Another outcome of our infrastructure detection work is the ability to look into trends and
commonalities generally — this report is a product of that and shares data, trends, and insights from
our malicious infrastructure research in 2023.

There are typically multiple steps required before a malicious server can become operational. The
following graphic shows what we call the C2 weaponization lifecycle (see Figure 1). Establishing a
malicious server requires the following 5 steps, in order:

  - Acquiring the domain, IP address, and actual server

  - Installing whatever software is needed for the server to interact with other nodes

  - Provisioning of TLS certificates or other features

  - Establishing remote access for the controlling actor

  - Setting the system to be fully operational

Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group


-----

**Figure 1: C2 weaponization lifecycle (Source: Recorded Future)**

At any step of this process, traces and artifacts that tie that system to others like it or the same
operator may be discovered and used to create detections.

Our research aims to minimize the time delay between the establishment of malicious infrastructure and
its identification and tagging as such. Shortening this interval helps network defenders neutralize
potential threats more proactively. By focusing on detectable features and artifacts on malicious
systems, we can discover new ones hours, days, or even weeks before they become actively
weaponized, giving our customers a significant advantage over alerting only on historically active
indicators of compromise (IoCs).

Recorded Future tracks malicious infrastructure, including offensive security tools, C2 frameworks,
commodity malware, custom malware, botnets, and more. In 2023 we discovered over 36,000 unique
malicious servers, an increase of 109% from 2022. This uptick is primarily due to a marked increase in
the malware and tools that we are detecting after increasing our efforts in detection development
compared to 2022, not because of any significant increase in malicious infrastructure development and
use. We created several hundred infrastructure detection signatures in 2023; we are constantly creating
new signatures, and we continue to monitor and update existing ones.

Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group


-----

#### A Note on Collection Bias

Recorded Future collects data on C2 servers based predominantly on traits from known malware
families and their server-side software. Our collection is focused on C2 frameworks and malware and
their supporting infrastructure; detections include passive and active internet scan data. We only verify
that an IP address is a C2 server with proof of activity matching specific details. This methodology
should not act as a replacement for identifying suspicious or anomalous traffic and artifacts inside a
network.

## Threat Analysis

#### 2023 Adversary Infrastructure Trends

In 2023, we detected 36,022 malicious servers, surpassing the 17,233 servers identified in 2022 by
more than twice the amount. We have broken down our top findings by the following malware
classifications:

1. Remote Access Trojans and Backdoors
2. Offensive Security Tooling
3. Information Stealers
4. Botnets

**Top 20 Remote Access Trojans and Backdoors**

Our top 20 families for remote access trojans and backdoors are shown in Figure 2 below.

The top 5 malware families we detected this year are AsyncRAT, Quasar RAT, PlugX, ShadowPad, and
DarkComet. Interestingly, the top 2 detections are open-source, and the last 3 are well-established
[tools, showing that our statement from last year's report remains true:](https://www.recordedfuture.com/blog/2022-adversary-infrastructure-report)

[The] high level of commodity tool use indicates that threat actors are more concerned with
blending in and being non-attributable rather than being undetectable, or have simply
determined that their targets are not likely to detect even these well-known tools.

Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group


-----

**Figure 2: Top 20 RATs and backdoors, based on the number of unique C2 servers observed (Source: Recorded Future)**

Top RAT Spotlight: AsyncRAT

AsyncRAT is a remote access tool written in C# that was published by NYAN-x-CAT on GitHub in
[January 2019. The tool has been used](https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-protection/asyncrat) by both state-sponsored and financially motivated threat actors.
AsyncRAT consists of 2 key components:

1. A C2 server with an operator interface. The C2 server allows an operator to build, configure, and
task new AsyncRAT clients.
2. The AsyncRAT client is deployed on a victim’s host.

AsyncRAT has many capabilities, including screen captures, keylogging (using another tool written by
NYAN-x-CAT, LimeLogger), file upload and download, password stealing, and disabling security tools
such as Windows Defender. AsyncRAT uses a plugin system that makes it more extensible.

Recent events involving AsyncRAT:

  - It was [observed](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/unmasking-asyncrat-new-infection-chain/) being distributed through malicious HTML files.

  - It was [utilized in campaigns involving traffic distribution systems (TDSs), with one notable](https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta571-delivers-icedid-forked-loader)
campaign delivering NetSupport and DarkGate along with AsyncRAT.

Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group


-----

**Top 10 Offensive Security Tools**

Despite a takedown and emerging offensive security tools (OST), Cobalt Strike remains our top
detected OST C2 family, raising questions about the effectiveness of Microsoft's Digital Crimes Unit’s
attempt to disarm unlicensed instances of Cobalt Strike, something discussed further here.

Metasploit and Meterpreter remain in heavy use but are also easily detected when used with the default
settings. Meterpreter can also be used in conjunction with Cobalt Strike, and while we can’t distinguish
between the two, it is worth noting that a portion of our Meterpreter detections may also be related to
Cobalt Strike C2s as well.

**Figure 3: Top 10 offensive security tools, based on the number of unique C2 servers observed (Source: Recorded Future)**

Top OST Spotlight: Viper Penetration Tool

Since Cobalt Strike, our most-detected OST, has already been heavily addressed in research over the
years, we will highlight the OST with the second-most C2 detections, the Viper Penetration Tool (Viper).
[Viper’s GitHub readme states the following capabilities:](https://github.com/FunnyWolf/Viper/blob/master/README_EN.md)

  - Viper is a graphical intranet penetration tool that modularizes and weaponizes the tactics and
technologies commonly used in the process of Intranet penetration

Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group


-----

  - Viper integrates basic functions such as bypass anti-virus software, intranet tunnel, file
management, command line, and so on

  - Viper has integrated 80+ modules covering Resource Development / Initial Access / Execution /
Persistence / Privilege Escalation / Defense Evasion / Credential Access / Discovery / Lateral
Movement / Collection and other categories

  - Viper's goal is to help red team engineers improve attack efficiency, simplify operation, and
reduce technical threshold

  - Viper supports running native msfconsole in the browser and multi-person collaboration

Even though we detect a steady amount of C2s for Viper, the use of this tool has not been openly
associated with any attacks.

**Top 10 Information Stealers**

Information stealers are increasingly becoming an important part of attack chains for all threat actors.
Despite the large number of information stealers in use, many of which are tracked by Recorded Future,
we have observed that most C2s were for RedLine Stealer and Raccoon Stealer.

We detected the most C2s for RedLine Stealer and the second-most for Raccoon Stealer. The high
number of C2s detected for Raccoon Stealer is surprising, considering the events that have taken place
over the last 18 months. In February 2022, Raccoon Stealer abruptly suspended its activities after the
false [report](https://blogs.blackberry.com/en/2023/01/cybercriminal-faked-death-found) of the death of its key member, Mark Sokolovsky. Raccoon Stealer’s suspension forced
many threat actors to switch from Raccoon Stealer to other infostealer brands, including MetaStealer,
BlackGuard, RedLine Stealer, and Vidar.

However, Raccoon Stealer was not dead but instead went through new development. At the end of
June 2022, Raccoon Stealer was back with V2 and was officially [released for sale. In October 2022,](https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-raccoon-stealer-v2-0)
Mark Sokolovsky was [indicted](https://www.justice.gov/usao-wdtx/pr/newly-unsealed-indictment-charges-ukrainian-national-international-cybercrime-operation) by the US Government for his role in Racoon Stealer. This again caused a
[pause in the use of Raccoon Stealer for several months; Raccoon Stealer operations resumed in August](https://cyberint.com/blog/financial-services/raccoon-stealer/)
2023.

Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group


-----

**Figure 4: Top 10 information stealers, based on the number of unique C2 servers observed (Source: Recorded Future)**

Top Information Stealer Spotlight: RedLine Stealer

RedLine Stealer is a malware family that has been active since at least 2019 and is popular among a
wide array of cybercriminal threat actors. It provides significant enumeration capabilities aiding in the
theft of user credentials, tokens, and session cookies. Typically, a user is infected with RedLine after
clicking a malicious link that subsequently installs RedLine components. RedLine will then enumerate
the victim’s device for network, system, and user information and then query for specific software
installations to collect stored credentials, such as internet browsers, as well as email and instant
messaging applications. This information is packaged and exfiltrated to the attacker’s server for future
use or sale on various dark web marketplaces and shops, such as Russian Market and 2easy Shop.

Recent events involving RedLine Stealer include:

  - On November 8, 2023, Malwarebytes Labs observed that a threat actor was using Google Ads to
distribute a trojanized version of the popular CPU-Z tool to steal data. CPU-Z is used for profiling
computer hardware on Microsoft Windows. The CPU-Z installer contained a malicious
PowerShell script known as "FakeBat". This script fetched the RedLine Stealer malware to collect
sensitive data from web browsers and cryptocurrency wallets.

  - On September 11, 2023, FortiGuard Labs reported a phishing campaign that employed a
Microsoft Office Word document to distribute a trio of malware: RedLine Stealer, Agent Tesla,

Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group


-----

and OriginBotnet. This campaign aimed to collect a diverse set of data from the compromised
devices.

  - In October 2023, Sucuri reported on [RedLine Stealer](https://blog.sucuri.net/2023/10/fakeupdateru-chrome-update-infection-spreads-trojan-malware.html) being distributed through compromised
websites and fake browser update notices.

  - In September 2023, RedLine Stealer was [observed being delivered by HijackLoader.](https://thehackernews.com/2023/09/new-hijackloader-modular-malware-loader.html)

**Top Botnets**

Year-over-year, we saw an increase in unique C2 servers for both QakBot and IcedID in 2023. The
disappearance of Emotet in June 2023, however, reduced the overall total number of botnet C2 servers
we identified in 2023. We do not think that this necessarily indicates a move away from the botnet
model in the cybercrime ecosystem; however, we can see the effects of takedown attempts on both
Emotet and QakBot. There may, over time, be a move away from these large, network bot systems as
they are ultimately prone to takedowns; distributed malware-as-a-service infrastructure, operated by a
broad array of users with differing tactics, techniques, and procedures (TTPs) and infrastructure are
simply harder to eradicate. However, there remains a need for services that botnets provide: one-stop
shopping for initial access, downloading ransomware and other second-stage malware, credential theft,
clickfraud, and more.

**Figure 5: Top botnets, based on the number of unique C2 servers observed (Source: Recorded Future)**

Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group


-----

Top Botnet Spotlight: QakBot

Since [emerging in 2007 as an information-stealing (banking) trojan, QakBot evolved into a](https://app.recordedfuture.com/portal/analyst-note/shared/true/doc:pNAcAp)
multi-purpose malware used by threat actors to perform reconnaissance, lateral movement, and data
exfiltration and to deliver other payloads to infected systems. QakBot’s infection chain primarily starts
via phishing attacks, with initial access gained using emails with malicious HTML attachments that drop
a ZIP file containing a .LNK or VBS file. This file can launch an IMG, ISO, VHD, XLSB, SVG, or MSI file to
execute the malware.

The FBI [attempted](https://decoded.avast.io/threatresearch/avast-q3-2023-threat-report/) to dismantle the QakBot botnet in August, leading to a near-total drop in QakBot
activity. However, [reports suggest that the threat actors behind QakBot, known as TA577, were still able](https://securityboulevard.com/2023/10/qakbot-hackers-delivering-ransomware-despite-fbi-takedown/)
to carry out phishing campaigns that distribute other malware, such as the Ransom Knight ransomware
and Remcos. In December 2023, Microsoft [reported](https://x.com/msftsecintel/status/1735856754427047985?s=46&t=varGpLXboLoB6EBskOgDyA) a new QakBot campaign was observed. The
campaign was reportedly low in volume and targeted the hospitality industry.

[DarkGate and PikaBot](https://thehackernews.com/2023/11/darkgate-and-pikabot-malware-resurrect.html) are two other malware families used by TA577 that have emerged at higher
volumes following the decline of QakBot. These malware families share similarities with QakBot in terms
of their distribution methods, campaigns, and behaviors. They can deliver additional payloads once on a
compromised system, including cryptocurrency mining software, reconnaissance tools, and
[ransomware. This campaign timeline shows](https://www.infosecurity-magazine.com/news/darkgate-pikabot-surge-qakbot/) a surge in DarkGate activity after the takedown of QakBot
infrastructure.

#### Takedowns and Resurrections

Do takedowns help stop cybercriminal activity? There are a number of variables at play when a
takedown of malicious infrastructure occurs. Some of the factors include:

  - Are the perpetrators physically in custody and hence unable to take responsive actions?

  - Was the takedown only of a subset of the infrastructure?

  - Was the infrastructure designed with redundancies that make a full takedown difficult?

  - Do the operators have a “Plan B”, such as another malware or staged infrastructure that they can
quickly switch to?

We review below 3 infrastructure takedown attempts that had evident effects in 2023 and assess their
general efficacy.

Emotet

[Emotet, the subject of a takedown attempt in January 2021, has disappeared and returned multiple](https://www.europol.europa.eu/media-press/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action)
times since that initial takedown action. Emotet activity resumed in November 2021. Prior to the
attempted takedown, Emotet regularly had rhythmic breaks in operations, but after the takedown,
Emotet operations seemed to have an even more irregular cadence. Emotet operations post-takedown

Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group


-----

were also [affected by Microsoft](https://www.welivesecurity.com/2023/07/06/whats-up-with-emotet/) [disabling VBA macros in documents in July 2022, since these macros](https://techcrunch.com/2022/07/22/microsoft-office-macros-blocked-default/)
were a primary initial access vector for Emotet.

In 2023, the Emotet operations we track disappeared in May, only to come back briefly a few weeks
later before another lengthy and possibly final disappearance. While it currently seems that the
Emotet-related activity has ceased entirely, the period from the initial takedown in 2021 until mid-2023
witnessed several years of sporadic Emotet operations. This underscores the resilience achievable
through a robustly designed infrastructure network and the persistence of determined criminals.

**Figure 6: Emotet servers, 2023 (Source: Recorded Future)**

QakBot

[QakBot was the subject of a comprehensive US Department of Justice takedown at the end of August](https://www.justice.gov/usao-cdca/pr/qakbot-malware-disrupted-international-cyber-takedown)
2023. Despite the continued observation of a limited number of C2 servers immediately following the
takedown, it became evident that the QakBot malware and its associated infrastructure were essentially
inactive. However, TA577’s spam delivery infrastructure remained intact, and TA577 reportedly
[continued](https://blog.talosintelligence.com/qakbot-affiliated-actors-distribute-ransom/) [its criminal activities by substituting other malware at its disposal for QakBot, such as Pikabot](https://app.recordedfuture.com/live/sc/7efsCpvcXYnI)
and DarkGate. The introduction of DarkGate is interesting as this had not been identified in previous
TA577 operations before.

Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group


-----

**Figure 7: QakBot servers, 2023 (Source: Recorded Future)**

In November 2023, we observed almost 40 new servers matching our detection signatures for QakBot
servers. Our initial assessment was that this was most likely an indication of an upcoming attempt by
TA577 to return to operations with an updated version of the QakBot malware. Our assessment aligns
with a December 2023 [report](https://x.com/msftsecintel/status/1735856754427047985?s=46&t=varGpLXboLoB6EBskOgDyA) from Microsoft that QakBot operations were resumed with a new [version](https://twitter.com/Threatlabz/status/1735863156738871470)
of the malware, although the December operations were at a lesser scale than those seen before the
takedown.

Cobalt Strike

The March 2023 takedown of Cobalt Strike was a joint project between Microsoft, the Health
Information Sharing and Analysis Center (Health-ISAC), and Fortra, the software company that owns
Cobalt Strike. The action proceeded after a [court order](https://noticeofpleadings.com/crackedcobaltstrike/files/CourtOrders/2023-04-03%20Order_23-cv-2447_Microsoft%20Corporation%20et%20al%20v.%20John%20Does%201-2%20et%20al(907079167.1).pdf) that allowed it was issued from a US Federal
court. The takedown was authorized based on unlicensed versions of Cobalt Strike in violation of
Fortra’s copyright or similar violations of Microsoft or Health-ISAC copyrights and thus was focused
solely on these cracked instances of the Cobalt Strike software.

[The Cobalt Strike takedown in March](https://blogs.microsoft.com/on-the-issues/2023/04/06/stopping-cybercriminals-from-abusing-security-tools/) 2023 had a noticeable impact initially, but it was far from
long-lasting. In fact, our data shows Cobalt Strike server numbers were back in their original range
within a few weeks.

Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group


-----

**Figure 8: Cobalt Strike servers observed daily from March to April 2023 (Source: Recorded Future)**

Unofficial attacks on Cobalt Strike servers have been [attempted](https://www.bleepingcomputer.com/news/security/ransomware-gangs-cobalt-strike-servers-ddosed-with-anti-russia-messages/) in the past. Cobalt Strike team servers
have been found to have technical [vulnerabilities that could be used against them. Takedown and](https://www.sentinelone.com/labs/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/)
distributed denial-of-service (DDoS)-style attempts by hacktivists are seldom comprehensive or
organized, however, and typically have limited results, although there have been some marginally
[successful operations.](https://www.bankinfosecurity.com/ukrainian-hacktivists-claim-trigona-ransomware-takedown-a-23343)

Analysis

The circumstances and results of the 3 cases studied above are all different, but an examination of
them provides us with a few takeaways.

Although it cannot be stated with certainty that Emotet will not return, it appears at this time that the
2021 takedown ultimately resulted in the termination of its operations. The Emotet takedown is an
example of an attempted takedown of a very well-organized and well-constructed C2 network with
built-in resilience, which was still able to operate post-takedown. The ultimate effectiveness of the
takedown was likely due to the friction created by the takedown effort on the malware operators,
which, combined with other factors, led to its eventual demise.

The QakBot takedown, highlighted by the use of the C2 system to disable all connected bots, was
highly effective and resulted in the almost immediate collapse of the QakBot network and its
infrastructure. This success, however, is tempered by the fact that the operators were reportedly able
to quickly continue their operations with the use of other malware, and QakBot malware operations
continued in December 2023.

The Cobalt Strike takedown was unusual in several ways. Cobalt Strike is a commercially licensed
product intended for red-teaming engagements; however, being a C2 framework, it can be employed

Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group


-----

for malicious purposes. As such, the takedown was restricted in scope — it only targeted servers
running unlicensed or “cracked” versions of the Cobalt Strike software and only specific IP addresses
and domains identified with their use. Criminals using the software who were affected by the takedown
effort could simply stand up new infrastructure after the initial takedown occurred, as the takedown
focused only on specific, named infrastructure and was not an effort to take down future unlicensed
Cobalt Strike servers, only those authorized in the court order.

Although the unlicensed Cobalt Strike takedown had an initial effect, it waned quickly. While a
shutdown of all Cobalt Strike servers is presently not feasible from a legal perspective, if executed,
such a measure would likely have a significantly greater impact. It is difficult to discern from the Cobalt
Strike example how a takedown of another framework would fare, especially if it were all-encompassing
and not limited in scope as the Cobalt Strike takedown was. When a takedown is based solely on
specific IP addresses, domains, and servers, without addressing the core software implants as in the
QakBot case, the effects will likely not be enduring. Any affected servers, IP addresses, and domain
registrations can be replaced quickly by most cybercriminal operations.

For purely criminal malware, such as QakBot and Emotet, broad-scale infrastructure takedowns clearly
have an effect on at least the tactical level, as operations are immediately hindered. Despite the
potential resurgence of the malware, as witnessed with Emotet and possibly in future iterations of
QakBot, the operational tempo typically diminishes over the ensuing months and years. On a strategic
level, cybercriminals who are not taken into custody have been seen continuing operations by reviving
the malware or moving on to other tools and techniques. As such, takedowns can be seen to add
significant friction to criminal malware operations, and do have an effect, but cannot be viewed as a
singular solution for cybercrime and malware operations. Takedowns must also be continued on a
regular basis to create real disruption to cybercriminal activity.

#### C2 Frameworks and the Primacy of Cobalt Strike

Cobalt Strike, Meterpreter, and Viper servers, numbering in the thousands monthly, are the top 3 among
C2 frameworks in our observations. However, numerous other C2 frameworks also exist. Our detections
of Meterpreter servers, generally regarded as a similarly popular tool, are of a lower volume than the
Cobalt Strike servers we observed. The most popular newer C2 framework that we see is Viper; its
numbers are now on par with Meterpreter.

In this section, we take a look at whether or not other C2 frameworks are gaining ground on Cobalt
Strike’s market share.

Our data indicates that both Havoc and Mythic have also become relatively popular but are still
observed in far lower numbers than Cobalt Strike, Meterpreter, or Viper. 4 other well-known frameworks
are Sliver, Havoc, Brute Ratel (BRc4), and Mythic; Figure 9, below, shows composite monthly figures for
these 4 frameworks for 2023. There has been appreciable growth in usage of these “second-tier” C2
frameworks in 2023.

Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group


-----

**Figure 9: Composite of Sliver, Havoc, Mythic, and BRc4 servers, 2023 (Source: Recorded Future)**

Although this growth has been driven primarily by increases in Mythic and Havoc servers, we have also
observed continuous, steady use of BRc4 and Sliver servers throughout 2023.

For Cobalt Strike, it is sometimes impossible to discriminate between authorized security testing and
criminal usage of the tools outside of situations where cracked, unlicensed versions are detected, in
which case the presumption is criminal use. This fact, combined with the popularity of Cobalt Strike and
its relatively large number of licensed, authorized users, leads to a very high number of Cobalt Strike
servers overall.

Many new frameworks are discussed when first reported as potential replacements for Cobalt Strike,
but most of these we do not ultimately see in large numbers. Examples of C2 framework servers that
we are not seeing in large numbers yet are BRc4, Sliver, and Manjusaka.

Cobalt Strike is a very popular and stable segment of the offensive security tool ecosystem, but it is not
one that exhibited notable growth in the past year. By contrast, other C2 server families, such as Havoc
and Mythic, are steadily increasing in number.

Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group


-----

**Figure 10: Cobalt Strike C2 servers, 2023 (Source: Recorded Future)**

In May of 2023, Sophos reported that Cobalt Strike [accounted](https://news.sophos.com/en-us/2023/05/18/the-phantom-menace-brute-ratel-remains-rare-and-targeted/) for about 20% of signature-based attack
tool detections in the first quarter of 2023 (these tools included all tools used for attacks, not just C2
frameworks). We similarly see a large percentage of all active C2 servers represented by Cobalt Strike.

Cobalt Strike remains the most commonly detected server of all the C2 frameworks for which we have
signatures. Although there are some other tools for which we see an appreciable C2 volume, our own
data corresponds with that shared by other researchers and incident responders in that no other C2
framework is close to Cobalt Strike in terms of usage. Although there are several other popular C2
frameworks, none are found at the scale of Cobalt Strike, despite the 2023 takedown attempt. That
said, we believe that inroads are being made by new C2 frameworks due to the slow but steady
increase in usage of these other C2 tools, and our data indicates that Cobalt Strike’s share of the
market is eroding. We do not believe that Cobalt Strike will be overtaken by any other particular C2
framework in the near future, however.

#### Trends in Russian State-Sponsored Operations

Over the past 12 months, we have seen a slight shift in TTPs by Russian state-sponsored cyber actors,
who have increased their use of legitimate internet services. Free API services (mockbin[.]org and
webhook[.]site), website hosting (Infinityfree), and file hosting services (mocky[.]io and GitHub) have

Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group


-----

enabled them to blend into legitimate network traffic and made upstream infrastructure identification
and tracking more difficult.

Recorded Future has noticed a continuous evolution of the malicious infrastructure used in Russian
state-sponsored operations, meaning the actors are changing the services or technologies used on a
weekly and sometimes daily basis. Geofencing is often enabled during broad phishing campaigns to
restrict malicious payloads to countries of interest and to reduce collateral. In a recent BlueDelta
campaign, Russian threat actors used JavaScript code hosted on a free API service, which checked the
victim’s location and only served malware if they were located in Austria, Lithuania, or Spain.

Russia’s targeting has remained unchanged, with the adversaries favoring traditional espionage for
generating intelligence for government interests, focusing heavily on governments in Europe and the
war in Ukraine. In October 2023, TAG-70 used a Zimbra webmail server zero-day to target government
and military mail servers located across Europe.

**Figure 11: Geographic spread of victims of TAG-70’s Roundcube exploit in October 2023 (Source: Recorded Future)**

#### Trends in Chinese State-Sponsored Operations

**Operational Infrastructure**

[Chinese state-sponsored groups have increasingly been employing large anonymization networks,](https://www.recordedfuture.com/charting-chinas-climb-leading-global-cyber-power)
often built from compromised IoT devices, including small office/home office (SOHO) routers, or

Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group


-----

through actor-provisioned virtual private servers (VPS), for use as operational infrastructure. Such
anonymization networks are often more challenging to track for security researchers than traditional
actor-provisioned infrastructure due to the volume of infrastructure that can be accumulated and as
compromised devices are also simultaneously used for legitimate purposes by their owners, allowing
threat actors to blend in with normal internet traffic. These networks can also allow threat actors to
rapidly cycle infrastructure and use internet service provider (ISP) IP addresses geolocated in the same
country as targeted entities.

The shared use of capabilities by Chinese state-sponsored groups also extends to these anonymization
networks, with multiple groups observed employing shared services such as the “RedRelay”
anonymization network [reported](https://www.pwc.at/de/dienstleistungen/Cyber/2022-year-in-retrospect-report.pdf) by PWC. This indicates that some of these services are likely provided
as a quartermaster-style or commercial service arrangement. Examples of the use of anonymization
networks by Chinese state-sponsored groups include TAG-38 activity targeting Indian critical
infrastructure, RedBravo (APT31) activity [targeting](https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-013.pdf) European governments, TAG-87 (Volt Typhoon)
[targeting](https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a) US critical infrastructure, and TAG-51 (BlackTech) targeting entities within Taiwan and Japan.
In the case of TAG-38, we identified the group using a network of compromised internet-facing,
third-party DVR/IP camera devices that were used to proxy ShadowPad C2 infrastructure to upstream
actor-controlled servers.

**Shared Capabilities**

Recorded Future continues to observe the use of shared-capability supply chains through custom
malware and exploit developers that supply multiple Chinese state-sponsored groups associated with
both the People’s Liberation Army (PLA) and the Ministry of State Security (MSS). Some of the most
well-known shared Chinese capabilities include the PlugX and ShadowPad backdoors. Recorded Future
observed a steady continuation of new monthly PlugX servers and an overall increase in ShadowPad
servers when compared with the previous 2 years' observations, as seen in Figures 12 and 13.

Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group


-----

**Figure 12: Comparison of new monthly PlugX server observations in 2023, 2022, and 2021 (Source: Recorded Future)**

Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group


-----

**Figure 13: Comparison of monthly ShadowPad server observations in 2023, 2022, and 2021 (Source: Recorded Future)**

During 2023, Recorded Future found that PlugX servers were, on average, active for 33 days, with some
stretching to 65 days, as well as the occasional outliers that remained online for much longer. In
comparison, ShadowPad servers were active for 13 days on average, with the upper quartile pushing 70
days online. Cycling the IP address of a C2 server frequently is a basic operational security practice for
threat actors; however, it isn’t always the case, as indicated above. Throughout the year, Recorded
Future identified 144 instances where a C2 server had hosted multiple malware families associated with
Chinese state-sponsored activity. The most popular pairing was PlugX and ShadowPad, accounting for
97% of these servers; other combinations included Spyder Backdoor and Winnti malware.

**Infrastructure Providers**

The Constant Company and its VPS service Vultr remain a firm favorite among Chinese state-sponsored
groups. Throughout 2023, Recorded Future observed over 1,000 malicious servers using The Constant
Company (AS20473) to host C2 servers for at least 6 known malware families associated with Chinese
state-sponsored activity. Other popular providers included Huawei Cloud (AS55990), BGPNET
(AS64050), and Alibaba (US) Technology (AS45102).

Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group


-----

#### Trends in Iranian State-Sponsored Operations

**Operational Infrastructure**

Iranian state-sponsored groups adopt varying degrees of sophistication when establishing and utilizing
[operational infrastructure. The use of commercial and open-source VPNs (1,](https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/) [2) such as Private Internet](https://www.trendmicro.com/en_us/research/19/l/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting.html)
Access, Mullvad, ExpressVPN, and OpenVPN are common among all major groups, including APT42
(Charming Kitten, TA453, APT35), MuddyWater (Temp.Zagros, Static Kitten, Cobalt Ulster, and Mango
Sandstorm), and APT33 (Peach Sandstorm, Elfin, Refined Kitten).

In some cases, operational infrastructure is shared among groups when executing simultaneous
targeting, although this is usually compartmentalized between threat groups affiliated with either the
Ministry of Intelligence (MOIS) or the Islamic Revolutionary Guard Corps (IRGC). Examples of these
[cases include](https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/) the 2022 Albanian government attacks that depicted a broad MOIS-led operation
[involving multiple threat groups, as reported by Microsoft. Another example is the targeting of Israeli](https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/)
[entities by MuddyWater, which reportedly shared infrastructure with a threat actor tracked as DarkBit.](https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/)

Iranian threat groups are also known for using Dynamic DNS (DDNS) services for attack operations;
Recorded Future has observed groups such as APT42, MuddyWater, and APT33 using DDNS-linked
infrastructure for C2.

**Infrastructure Providers**

Iranian state-sponsored threat groups have used a slew of infrastructure providers for their operations,
including major providers such as NameCheap, Porkbun, OVH SaS, Hetzner Online GmbH,
ColoCrossing, Contabo GmbH, InMotion Hosting, and Tucows Inc.

The infrastructure adopted by these groups has also broadly used diverse top-level domains (TLDs)
that include .com, .co, .xyz, .site, .info, and .online, just to name a few. Iranian threat groups likely use
intermediaries to engage with domain registrars outside of Iran. There is no observable trend in relation
to their use of TLDs, which is highly dependent on threat group access to domain registration providers
inside and outside Iran.

#### Trends in North Korean State-Sponsored Operations

**Operational Infrastructure**

North Korean state-sponsored cyber actor infrastructure can be broken down into 2 broad categories:
infrastructure directly registered and set up by the actors and legitimate infrastructure that has been
compromised and is being used by North Korean threat actors for malicious purposes. In the former
case, most of the infrastructure we see being directly registered to North Korean operators is used for
phishing operations. This is particularly the case for Kimsuky, an espionage-focused threat actor
primarily active in the Asia region, including its subgroups TAG-46 and TAG-66. We also see this with

Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group


-----

the phishing and initial access operations of TAG-71, a North Korean threat group with links to
Cryptocore, in which the group registers its own infrastructure before using compromised infrastructure
as C2 once it has compromised the target.

**Infrastructure Providers**

Commonly seen hosting providers used by North Korean threat groups include HostUS, Leaseweb Asia
Pacific, G-Core Labs S.A., EHostIDC, and Clouvider Limited. These groups register domains either
directly using Namecheap, Hostinger, or Porkbun, or using the DDNS services FreeDNS or
내도메인[.]한국 (translates to mydomain[.]korea). North Korean groups like to use link-shortening
services when delivering either phishing domains or initial access malware, including TinyURL and Bitly.
For compromised infrastructure, we see North Korean threat groups compromising insecure web
servers of South Korean e-commerce websites, non-profit organizations, universities, and personal
blogs, among others.

## Mitigations

To help safeguard systems, we advise the following:

  - Keep systems and software up-to-date and have a reliable and tested backup method.

  - Exposed perimeter servers, including those for remote access, are abused by threat actors to
gain initial access into a target’s network. If remote access solutions are crucial to daily
operations, all remote access services (such as Citrix or RDP) should be implemented with
multi-factor authentication.

  - Recorded Future clients can use the Recorded Future Intelligence Cloud to help identify actively
exploited vulnerabilities and CVEs that have been positively associated with malware, which can
help with patch management and prioritization.

#### Detection-in-Depth

  - Proactive detection creates an advantage for defenders, giving them time to ensure additional
file- and network-based detections are in place.

  - Recorded Future clients can rapidly identify infections by detecting IP addresses found in the
Recorded Future Command-and-Control List.

  - Recorded Future clients can query any malware entity using the Recorded Future
Command-and-Control List to conduct similar research of their own.

  - Employ detection-in-depth for common open-source tooling via correlation searches and Sigma
queries in security information and events (SIEMs) for suspicious behaviors, YARA rules for
suspicious file contents, and Snort rules for suspicious or malicious network traffic.

  - The detection volumes for each of the malware families we monitor show the increased use of
open-source tools. Prioritize these families for network- and host-based detection in enterprise
environments.

Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group


-----

  - External network detections are only part of the detection equation; detection-in-depth
[methodologies, such as calculating the standard deviation of](https://www.youtube.com/watch?v=borfuQGrB8g&ab_channel=SANSDigitalForensicsandIncidentResponse) [beaconing intervals or using YARA](https://www.youtube.com/watch?v=eETUi-AZYgc&ab_channel=BlackHillsInformationSecurity)
[for memory inspection, can aid in the identification of malicious activity.](https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures)

## Outlook

We expect an ever-changing infrastructure landscape for 2024 that, in many ways, is yet more of the
same. For example, we foresee takedowns of malicious infrastructure continuing and probably
increasing. Governments are starting to fully understand the devastating effects of ransomware and
other destructive attacks and are taking action to combat them. Governments are taking cybercriminal
operations that affect critical infrastructure such as hospitals seriously and are looking at the legal
frameworks that allow actions to be taken against the attackers.

Takedowns are an effective and disruptive tool for law enforcement to use against cybercriminals.
Unfortunately, the ongoing operations by TA577, even after the QakBot takedown, underscore the
tendency of criminal organizations to simply shift their tools. This holds true unless the individuals
responsible are apprehended or otherwise prevented from continuing their illicit activities.

We believe APTs will continue their shift toward the adoption of commodity tools when suited, including
C2 frameworks, as these tools are effective and make attribution difficult. Similarly, all threat actors will
continue making use of remote monitoring and management software (such as AnyDesk, Atera, and
ConnectWise) and legitimate internet infrastructure (such as Telegram, Github, and Google Drive),
owing to their perceived legitimacy and insufficient network controls for these tools and services.

Artificial intelligence is affecting various fields of endeavor, including cybercrime. Although not yet on
par with human capabilities, AI, particularly large language models, simplifies tasks and reduces manual
effort. 2024 will witness incremental progress in AI, not widespread adoption. Threat actors are
expected to use AI for domain naming, network planning and organization, and enhancing malware
development with easier coding and advanced obfuscation techniques. This will result in greater
organizational and technical efficiencies, a lower entry barrier for sophisticated attacks, and other
advantages to cybercriminals.

Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group


-----

About Insikt Group[®]

Recorded Future’s Insikt Group, the company’s threat research division, comprises
analysts and security researchers with deep government, law enforcement, military, and
intelligence agency experience. Their mission is to produce intelligence that reduces risk
for clients, enables tangible outcomes, and prevents business disruption.

About Recorded Future[®]

Recorded Future is the world’s largest threat intelligence company. Recorded Future’s
Intelligence Cloud provides end-to-end intelligence across adversaries, infrastructure,
and targets. Indexing the internet across the open web, dark web, and technical
sources, Recorded Future provides real-time visibility into an expanding attack surface
and threat landscape, empowering clients to act with speed and confidence to reduce
risk and securely drive business forward. Headquartered in Boston with offices and
employees around the world, Recorded Future works with over 1,700 businesses and
government organizations across more than 75 countries to provide real-time, unbiased,
and actionable intelligence.

Learn more at recordedfuture.com


employees around the world, Recorded Future works with over 1,700 businesses and
government organizations across more than 75 countries to provide real-time, unbiased,
and actionable intelligence.

Learn more at recordedfuture.com

Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group


-----