Censys State of the Internet 2025

Censys State of the Internet 2025
Censys’ 2025 State of the Internet Report analyzes adversary infrastructure at Internet scale, showing how malware, C2 services, open directories, and residential proxy networks persist, shift, and evade detection over time. The report highlights Cobalt Strike, Viper, Sliver, PlugX, and PolarEdge as major examples of how threat actors build and maintain infrastructure across global hosting providers and geographies. #CobaltStrike #Viper #Sliver #PlugX #PolarEdge #APT41 #MustangPanda #CVE-2023-20118 #Censys

Keypoints

  • Annual cybersecurity reports of this type typically begin with an introduction and methodology section that explains the report’s scope, data sources, accuracy, and why the dataset is reliable for Internet-scale threat analysis.
  • They usually include a trends section covering malware detections, command-and-control infrastructure, geographic distribution, hosting providers, and changes observed over the reporting period.
  • Another common section focuses on infrastructure lifespan or “time to live,” showing how long malicious services stay online, how quickly they disappear, and how attackers rotate or replace infrastructure.
  • Many reports also examine specific infrastructure classes such as open directories, residential proxies, botnets, and other edge or relay systems that support malicious operations.
  • A concluding section generally ties the findings together, emphasizing operational takeaways for defenders, researchers, and incident responders.
  • In this report, Censys analyzed 80 malware detections over six months, from December 2024 through May 2025, with an average of 2,906 malware detections per snapshot date.
  • The highest volume of detections occurred in mid-December, followed by a 14% drop in early January, largely attributed to fewer Cobalt Strike instances in China.
  • Cobalt Strike was the most prevalent family throughout the study and represented 34% of observed C2 infrastructure as of May 2025.
  • Viper accounted for 15% of total detections and Sliver for 13%, underscoring the growth of open-source adversary emulation tools in malicious operations.
  • Geographically, detections were observed in 62 countries, with China and the United States together hosting 55% of malware infrastructure.
  • The report notes that clustering in certain regions is more likely driven by hosting availability, pricing, and permissiveness than by geopolitical meaning.
  • At the network level, Alibaba and Tencent in China hosted the greatest volume of malware detections, while U.S.-based providers such as DigitalOcean, Vultr, Amazon, and Microsoft also appeared prominently.
  • PlugX, a RAT associated with APT41 and Mustang Panda, showed a general decline during the study window, with a brief uptick in early April 2025 after a U.S. Department of Justice takedown in January.
  • For C2 “time to live,” Cobalt Strike TeamServer instances were shorter-lived on average than Viper, with average/median lifespans of 11.2/5.0 days versus 17.4/18.5 days for Viper.
  • Even within the same malware family, lifespan varied by port, showing that defenders must analyze subclusters and specific behaviors rather than relying only on family names.
  • Content-based TTL analysis using Cobalt Strike watermark data showed average/median service lifespans of 9.5/4.0 days, while watermark-based persistence extended to 11.1/6.0 days, indicating that content and network liveliness do not always match.
  • Only 14 IPs were found to switch among multiple watermarks, but those cases show that some hosts change behavior rapidly and may need closer investigation.
  • Open web directories were found to be highly ephemeral, with 50% disappearing in under one day and 50% changing contents within about three days.
  • The report emphasizes that open directories may vanish quickly at the network layer while their content remains stable long enough to support attribution and actor tracking.
  • Residential proxy infrastructure was presented as a stealthy layer of relaying through consumer devices, with special focus on ORBs and the PolarEdge botnet.
  • PolarEdge exploited CVE-2023-20118 in Cisco Small Business routers and used base64-encoded webshells, illustrating how IoT and edge devices are repurposed into proxy and control infrastructure.
  • Historical Censys data helped pivot from an original PolarEdge host to adjacent infrastructure, including unusual PolarSSL certificates and an open directory on a high port.
  • A discovered ELF binary named RPX appeared to coordinate compromised nodes as proxy relays, suggesting a dedicated backend tool for managing large-scale proxy infrastructure.
  • The recurring theme across the report is that infrastructure visibility, historical context, and high-quality scanning data are essential to understanding and disrupting modern threat operations.
Source: Awesome Annual Security Reports - The reports in this collection are limited to content which does not require a paid subscription, membership, or service contract. (https://github.com/jacobdjwilson/awesome-annual-security-reports/)

Download Report from Github