Understanding Adversary Infrastructure Through Real Investigations and Data
In this annual report, we examine adversary infrastructure—the hidden backbone of cybercrime and espionage that allows attackers to scale operations, mask origins, and sustain campaigns.
The report focuses on command-and-control (C2) services and related tools that enable control, lateral movement, and data exfiltration. Drawing from real-world incidents, it identifies structural patterns across infrastructure—where it resides, how long it persists, and how signals reveal continuity even as services shift.
What you’ll find in the report:
Key findings from this year’s report include:
- Adversary infrastructure as an early-warning system: Why C2 and related services often provide the earliest and most consistent signals of malicious activity.
- Structural patterns at Internet scale: Insights into where adversary infrastructure resides, how long it persists, and how continuity is maintained across shifting services.
- Evolving attacker tactics: The rise of edge-based infrastructure such as residential proxies and IoT botnets, and how they complement traditional C2 ecosystems.
- Real-world incident analysis: Case studies and data that illustrate how threat actors build, sustain, and adapt the scaffolding behind modern operations.
Get your copy of The 2025 State of the Internet Report to learn more about adversary infrastructure and its implication for modern threat operations.