Remote access Trojans like DarkComet, Poison Ivy, Havex, and AlienSpy use large-scale Internet enumeration. RAT controllers are generally less tolerant of latency, so there are a disproportionate number of RATs that are run from residential ISP subnets. A recent Shodan data set pulled from Shodan was overwhelmingly dominated by Dark Comet, followed by XtremeRAT, njRAT and Net Bus. BlackShades is still limping along, says Levi Gundert, author of Recorded Future report.”]
Source: https://www.darkreading.com/analytics/new-tactic-finds-rat-operators-fast