New Meterpreter Command Server Detected Signaling Active Post-Exploitation Activity

Security monitoring identifies a high-confidence malicious infrastructure linked to a widely abused offensive security tool.

Malicious Infrastructure Flagged

Threat intelligence researchers have identified a new command-and-control (C2) endpoint associated with Meterpreter, a powerful payload commonly deployed through the Metasploit Framework.

Security teams flagged the following indicator as malicious:

• IOC: 36.133.104.30:4444
• Threat Type: Botnet Command-and-Control
• Confidence Level: High (100%)
• ASN: AS9808 CHINAMOBILE-CN
• Country Association: China
• First Observed: February 5, 2026

Analysts validated the infrastructure through scanning telemetry and threat intelligence correlation. Researchers have not confirmed whether the hosting system itself is compromised. However, the detection strongly indicates malicious operational use.

Why Meterpreter Infrastructure Raises Immediate Concern

Attackers widely use Meterpreter during post-exploitation phases. The payload enables stealthy remote access while operating directly in memory. As a result, traditional antivirus tools often struggle to detect it.

Threat actors deploy Meterpreter to:

• Maintain persistent access inside compromised environments
• Execute commands remotely without writing files to disk
• Escalate privileges and move laterally across networks
• Extract credentials and sensitive enterprise data
• Deploy ransomware or additional malware payloads

Attackers frequently choose port 4444 because it blends into custom remote administration traffic. This tactic helps bypass weak monitoring controls.

Infrastructure Intelligence and Campaign Indicators

Security telemetry linked the server to China Mobile’s AS9808 network range. Threat actors often use large network providers to obscure malicious infrastructure among legitimate traffic.

C2 servers linked to offensive frameworks typically rotate quickly. Attackers also modify encryption channels and beacon intervals. Therefore, early IOC sharing plays a critical role in reducing dwell time.

Defensive Measures Security Teams Should Activate

Organizations should immediately review network logs for outbound communication to the flagged endpoint. Early traffic analysis often reveals hidden compromise.

Security teams should also:

• Block the IOC across firewalls, proxies, and EDR platforms
• Hunt for memory-based payload execution on endpoints
• Review PowerShell and remote execution logs
• Monitor abnormal authentication and privilege escalation activity
• Perform threat hunting for post-exploitation artifacts

Rapid detection significantly reduces the likelihood of ransomware deployment and large-scale lateral movement. Continuous monitoring remains essential because attackers frequently rebuild their infrastructure.