The telecommunications and hosting infrastructure of the Middle East has evolved into a primary backbone for global cybercrime operations. A newly released threat intelligence analysis from Hunt.io revealed that more than 1,350 active command-and-control (C2) servers were identified across the region within a single three-month window. The study, which monitored regional activity between February 1 and May 1, 2026, highlights a systemic vulnerability: threat actors are increasingly exploiting legitimate Middle East telecom networks, cloud platforms, and virtual private server (VPS) providers to anchor their malicious campaigns.

Security researchers warn that this infrastructure-heavy approach effectively neutralizes traditional defense strategies. Because attackers are rapidly rotating their domains and IP addresses while continuing to utilize the exact same regional internet service providers (ISPs), traditional indicator-of-compromise (IOC) detection models are consistently falling behind.

Key Details

The comprehensive analysis mapped out exactly 1,357 C2 servers deployed across 98 infrastructure providers spanning 14 Middle Eastern nations, including Saudi Arabia, the United Arab Emirates, Turkey, Israel, Iran, and Iraq. Alarmingly, C2 infrastructure accounted for 96.8% of all observed malicious artifacts in the dataset, vastly outnumbering independent phishing sites or publicly reported malicious domains.

The concentration of cybercriminal assets was heavily skewed toward specific state-backed and commercial networks:

• Saudi Telecom Company (STC): The regional giant hosted 981 unique C2 servers, representing a staggering 72.4% of the entire regional dataset. Researchers emphasize that this concentration does not indicate a direct compromise of STC’s core corporate infrastructure. Instead, the sheer scale of STC’s consumer and enterprise footprint means that threat actors are systematically compromising endpoints and routing traffic through the telecom’s vast IP space.
• SERVERS TECH FZCO: Located in the UAE, this provider exhibited an elevated concentration of C2 infrastructure alongside exposed malicious open directories containing active payloads.
• Other Noted Providers: Publicly run networks, including Iraqi and Syrian telecom operators, along with regional content delivery networks (CDNs) like Iran’s AbrArvan, showed consistent, concentrated usage by both commodity malware operators and sophisticated threat groups.

Technical Analysis

The threat landscape operating within these networks is highly diverse, ranging from low-level digital extortion to advanced post-exploitation frameworks.

Malware Families and Frameworks

Tactical Remote Monitoring and Management (RMM) tools led all malware categories with 92 unique C2 IP addresses. Legitimate RMM tools are highly coveted by threat actors because they allow persistent administrative access to compromised networks without triggering standard antivirus alerts.

Other prominent threat categories identified in the infrastructure include:

• Traffic Distribution Systems (TDS): Most notably Keitaro, used to intelligently route malicious web traffic and redirect victims to exploit kits or phishing landing pages.
• Vulnerability Scanners and Phishing Kits: Wide deployment of Acunetix for network reconnaissance and Gophish for corporate social engineering campaigns.
• IoT Botnets: Pervasive activity from legacy and evolving botnet architectures, including Mozi, Hajime, and Mirai.
• Post-Exploitation Frameworks: Highly dangerous penetration testing tools, such as Cobalt Strike, Sliver, and AsyncRAT, which blur the lines between commercial cybercrime and state-sponsored espionage.

Notable Active Campaigns

The Hunt.io report correlated the identified C2 infrastructure with several active, real-world campaigns:

• Ransomware Delivery via Syrian Telecom: A Phorpiex (Twizt) botnet C2 server (94.252.245[.]193) operating on Syrian infrastructure was caught distributing encrypted payloads containing XMRig cryptominers and variants of LockBit Black ransomware.
• Espionage via Iraq-Based Hosting: Infrastructure belonging to provider Regxa in Iraq supported a targeted espionage campaign attributed to the “Eagle Werewolf” threat cluster. This operation relied on Telegram-based lures and phishing emails to drop EchoGather and Sliver RATs (Remote Access Trojans).
• Zero-Day Exploitation: Adversaries targeted CVE-2025-11953 (known colloquially as Metro4Shell) via a malicious IP address mapped to Saudi Arabia’s Mobily network. The exploit delivered Base64-encoded PowerShell scripts that ultimately executed custom, Rust-based malware.
• Mass Vulnerability Scanning: Iranian infrastructure leveraging the AbrArvan CDN hosted the RondoDox botnet. This operation conducted up to 15,000 daily automated exploit attempts, testing targets globally for 174 distinct software vulnerabilities using scanning mechanisms adapted from the Mirai source code.

Impact and Risks

The systemic exploitation of legitimate telecommunications networks poses a severe threat to global enterprise security. When threat actors launch attacks from highly respected, enterprise-grade IP blocks belonging to major providers like STC or Mobily, defensive sorting algorithms face a difficult challenge.

• False Sense of Security: Security Operations Centers (SOCs) frequently whitelist or assign low risk scores to traffic originating from legitimate national telecom operators, allowing malicious traffic to pass unexamined.
• Operational Disruption: Organizations relying on automated IP-blocking policies risk cutting off legitimate business communications if they inadvertently blacklist massive regional ASNs (Autonomous System Numbers).
• National Security Implications: The co-location of commercial malware-as-a-service (MaaS) platforms alongside sophisticated nation-state post-exploitation frameworks (like Sliver and Cobalt Strike) within the same network environments makes attribution incredibly complex, allowing state actors to hide in the noise of everyday cybercrime.

Expert Recommendations

To counter this rapid infrastructure rotation, enterprise security leaders and network administrators must shift their perimeter defenses away from reactive IOC matching and toward proactive infrastructure tracking.

1. Transition to ASN-Level Behavioral Monitoring: Instead of blocking individual malicious IP addresses after an attack has occurred, security teams should implement behavioral monitoring at the Autonomous System Number (ASN) and hosting provider level. High-risk infrastructure blocks showing consistent C2 patterns should be subjected to mandatory deep packet inspection.
2. Strict Egress Traffic Filtering: Restrict internal endpoints from initiating outbound connections to unauthorized external ports. Command-and-control communication typically relies on non-standard ports or specific unverified protocols to establish its backchannels.
3. Deploy Advanced Endpoint Detection and Response (EDR): Because attackers are heavily utilizing legitimate RMM tools (which bypass basic antivirus), security teams must deploy EDR solutions configured to flag anomalous behavioral patterns—such as an administrative tool spawning unauthorized PowerShell scripts.
4. Incorporate Infrastructure-Driven Threat Intelligence: Security operations centers should integrate threat intelligence feeds that actively track hosting provider reputations and network allocations rather than relying solely on static, historical domain blacklists.

Industry Context

The findings from Hunt.io underscore a broader, global shift in cybercriminal behavior. Over the past several years, strict law enforcement crackdowns on traditional “bulletproof hosting” providers in Europe and North America have forced threat groups to adapt.

Instead of hiding in the dark corners of the internet, modern threat actors now deliberately hide in plain sight. By renting or compromising space inside massive, highly trusted regional telecom environments like those in the Middle East, cybercriminals successfully exploit the reputational safety of these networks to bypass the global security perimeter.

Conclusion

The revelation that over 1,350 C2 servers are operating concurrently across Middle East telecom networks proves that traditional reactive cyber defense models are breaking down. As adversaries continue to rapidly discard domains and shift IPs while remaining anchored to the same underlying network providers, the international security community must adapt. Defeating modern cybercrime requires looking past individual, short-lived indicators of compromise and focusing squarely on auditing, monitoring, and securing the core infrastructure providers that power the internet.

FAQ SECTION

1. Why are cybercriminals specifically targeting Middle East telecom networks like STC?

Threat actors exploit large Middle East telecom networks because of their massive scale and highly trusted global network reputations. Launching attacks or hosting command-and-control (C2) servers within respected IP blocks allows traffic to blend in with legitimate commercial data, bypassing basic automated security filters.

2. Does this report mean that Saudi Telecom Company (STC) was hacked?

No. The findings indicate that threat actors are exploiting compromised consumer or enterprise endpoints running within the STC network environment, or are simply registering services under false pretenses. The core telecommunications infrastructure of the provider itself was not breached.

3. What is infrastructure tracking, and how does it differ from traditional IOC detection?

Traditional detection relies on specific Indicators of Compromise (IOCs), such as a known malicious IP address or domain name. Infrastructure tracking focuses on identifying the underlying hosting providers, ASNs, and network patterns that attackers repeatedly use, allowing defenders to anticipate threats even when attackers change their domains.

4. What malware families were most frequently found in this Middle East infrastructure?

The analysis identified a significant volume of Tactical RMM tools, traffic distribution systems like Keitaro, network scanners like Acunetix, and persistent IoT botnets including Mirai, Mozi, and Hajime. Advanced frameworks like Cobalt Strike and Sliver were also highly prevalent.

5. How can organizations protect themselves against traffic originating from these networks?

Organizations should implement ASN-level behavioral monitoring, strict egress traffic filtering to block unapproved outbound connections, and deploy EDR tools capable of detecting the unauthorized use of legitimate remote management tools (RMMs).