cta-2024-1209.pdf (5 MB)

Recorded Future's 2023 infrastructure report tracks malicious C2, malware, botnet, and offensive security tooling infrastructure observed through its Intelligence Cloud. The excerpt says Cobalt Strike remained the leading C2 framework, AsyncRAT, QuasarRAT, PlugX, and ShadowPad were prominent remote access tools, and RedLine and Raccoon led infostealer C2 volume. It also highlights Russian state actors' use of legitimate internet services, Chinese state actors' use of anonymization networks built from compromised devices, and a broader shift toward infrastructure that blends into normal network activity.