Hackers are increasingly abusing Middle East telecommunications networks and hosting providers to operate large-scale command-and-control (C2) infrastructure.
The findings highlight a strategic shift away from disposable indicators toward infrastructure-level tracking, allowing defenders to identify persistent patterns behind cyber operations rather than reacting to constantly changing indicators of compromise.
The dataset reveals that C2 infrastructure dominates malicious activity in the region, accounting for over 90 percent of all observed artifacts, far exceeding phishing campaigns, exposed directories, and publicly reported indicators.
One of the most striking discoveries is the concentration of activity within major telecommunications networks. Saudi Telecom Company (STC) alone accounts for 981 C2 servers, representing roughly 72 percent of all detected C2 infrastructure in the region.
Researchers suggest this concentration is likely driven by compromised customer devices operating within the telecom network rather than direct compromise of the provider itself, effectively turning large-scale ISP infrastructure into a relay layer for attacker-controlled systems.
Hunt.io said in a report shared with GBhackers, researchers identified more than 1,350 active C2 servers distributed across 98 infrastructure providers spanning 14 countries, including Saudi Arabia, the UAE, Turkey, Israel, Iran, Iraq, and Egypt.
Other prominent providers include UAE-based SERVERS TECH FZCO with over 100 C2 nodes, Israel’s OMC with more than 60, Turkey’s Türk Telekom with 40-plus, and Iraq’s Regxa, which shows a smaller but persistent footprint combined with a high tolerance for malicious activity.
Hackers Exploit Middle East Telecoms
The presence of both large telecom operators and smaller VPS providers illustrates how attackers blend into diverse infrastructure environments to maintain resilience and avoid disruption.
Across the full set of 98 Middle Eastern infrastructure providers, Host Radar recorded 1,459 malicious artifacts during the three-month observation period. This includes 1,357 C2 servers, 45 malicious open directories, 7 indicators of compromise (IOCs) referenced in public research, 43 IOC Hunter posts, and 7 phishing sites.
The analysis also reveals that a relatively small group of providers supports a disproportionately large share of malicious infrastructure.
This clustering effect enables threat actors to reuse infrastructure, stage operations in advance, and maintain dormant access points that can be activated when needed. In several documented cases, infrastructure linked to advanced persistent threat groups was identified weeks before actual attacks were launched.
Malware families observed across these networks include a mix of commodity botnets and advanced post-exploitation frameworks.
Tools such as Tactical RMM, Cobalt Strike, and Sliver are widely used alongside IoT botnets like Mirai, Mozi, and Hajime. This combination reflects a convergence of cybercrime and state-linked activity operating within the same infrastructure ecosystem.
Several offensive security frameworks and post-exploitation platforms also appear prominently in the dataset. These include Prism X (13), AsyncRAT (12), Sliver (10), Cobalt Strike (8), and Mirai (8), indicating that both commodity malware and sophisticated APT tooling leverage Middle Eastern infrastructure.
Real-world campaigns tied to the infrastructure include ransomware delivery, cryptomining operations, phishing campaigns, and espionage activity.
For example, researchers observed Phorpiex botnet C2 servers hosted on Syrian telecom infrastructure delivering both cryptominers and ransomware payloads, while other campaigns leveraged telecom IP space to exploit vulnerabilities, deploy remote access trojans, and conduct cloud-focused intrusions.
The report underscores that tracking infrastructure providers, autonomous systems, and hosting patterns offers a more proactive defense strategy. By focusing on the underlying networks consistently used by attackers, organizations can better anticipate threats, prioritize monitoring, and disrupt operations before they fully materialize.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
