Malware authors use port scanners to identify open ports on a network or external server. The goal is to discover accessible services that can be exploited. By scanning for open ports, attackers gain insight into which services are running, enabling them to find vulnerabilities or potential points of entry for further attacks. When a compromised machine is used for this purpose, it helps avoid detection by masking the attacker’s real location. This technique is often used by attackers looking to expand their access or deliver additional payloads without revealing their own infrastructure.