2021 Adversary Infrastructure Report

Posted: 18th January 2022
2021 Adversary Infrastructure Report


Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

Recorded Future’s Insikt Group® conducted a study of malicious command and control (C2) infrastructure identified using proactive scanning and collection methods throughout 2021. All data was sourced from the Recorded Future® Platform and is current as of December 10, 2021.

Executive Summary

Recorded Future tracks the creation and modification of new malicious infrastructure for a multitude of post-exploitation toolkits, custom malware, and open-source remote access trojans (RATs). Since 2017, Insikt Group has created detections for 80 families, including RATs, advanced persistent threat (APT) malware, botnet families, and other commodity tools. Recorded Future observed over 10,000 unique command and control (C2) servers during 2021 across more than 80 families. Our collection in 2021 was dominated by Cobalt Strike Team Servers and botnet families, both of which applied more resiliency and stealth measures throughout the year.

Key Findings

  • Our prediction last year anticipating an increase in Sliver, Mythic, Covenant, and Octopus C2 frameworks was only partially correct. While there has been small increase in use of Covenant, Sliver and Mythic, our visibility has shown continued reliance on Cobalt Strike with minimal adoption of newer C2 frameworks.
  • 25% of detected servers (3,400 servers) were not referenced in open sources; they were only identified on the Recorded Future Command and Control source.
  • Recorded Future observed an average of a 35-day lead time between when a C2 server is detected by our scanning efforts and when it is reported in other sources.
  • While Emotet’s return has garnered headlines, other botnets have continued to insulate, diversify, and grow their infrastructure during Emotet’s absence in 2021.

Editor’s Note: This post was an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.