Middle East Telecom Networks Hijacked for Massive C2 Operations, Over 1,350 Servers Identified

Threat intelligence researchers have identified more than 1,350 active command-and-control servers across 98 providers in 14 Middle Eastern countries, with Saudi Arabia's STC accounting for 72% of all regional C2 infrastructure.

Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA Region9 min read
Server racks inside a Middle East telecom data centre with LED status lights and cooling units

Server racks inside a Middle East telecom data centre with LED status lights and cooling units

A sweeping new threat intelligence analysis has confirmed that telecommunications networks and hosting infrastructure across the Middle East have become one of the most significant operational foundations for global cybercrime, with more than 1,350 active command-and-control (C2) servers identified across 98 infrastructure providers spanning 14 countries in a three-month window between 1 February and 1 May 2026.

The Scale of the Problem

Across the full dataset, researchers recorded 1,459 malicious artifacts during the observation period. Of these, 1,357 were active C2 servers. The remaining share comprised 45 malicious open directories, 43 IOC Hunter posts, 7 phishing sites, and 7 publicly reported indicators of compromise. C2 infrastructure accounted for approximately 96.8% of all observed malicious activity, a figure that dramatically outweighs traditional phishing and indicator-based threats and signals that persistent network-level infrastructure, rather than short-lived attack assets, is now the dominant mode of operation.

The 14 countries covered in the analysis include Saudi Arabia, the UAE, Turkey, Israel, Iraq, Iran, Egypt, Kuwait, Lebanon, Jordan, Bahrain, Syria, Cyprus, and Palestine. The geographic breadth underscores that this is not a localised problem but a regional infrastructure crisis with global implications, given that many of the campaigns operating from this infrastructure target organisations well beyond the Middle East.

Saudi Telecom Company: The Largest Concentration Globally

The single most striking finding in the dataset is the concentration of C2 servers within Saudi Telecom Company (STC) infrastructure. Researchers identified 981 C2 servers associated with STC, representing 72.4% of all detected regional C2 activity and the largest concentration recorded at any single provider anywhere in the world during the observation period.

Analysts were clear that this concentration does not indicate STC itself has been breached or is complicit. The more probable explanation is the large-scale compromise of customer endpoints operating within STC's vast network footprint. When a telecom provider serves millions of customers, a proportion of those customer devices will inevitably be compromised. Those infected devices then effectively become relay points and hosting environments for attacker-controlled infrastructure, all operating behind the legitimacy and scale of a major national carrier.

This dynamic matters because it means that blocking STC IP ranges is not a viable defensive response. The traffic originates from legitimate network infrastructure. The contamination is at the endpoint layer, not the carrier layer. Defenders must instead focus on behavioural anomalies, traffic pattern analysis, and the specific C2 communication signatures associated with the malware families observed in this dataset.

This is part of a broader pattern of telecom abuse in the region. As MCW reported earlier this month, China-linked threat actors have also been deploying the Showboat Linux malware against a Middle East telecommunications provider, using it as a SOCKS5 proxy to move laterally across internal networks and reach systems not exposed to the internet. The tactics differ but the target ecosystem is the same: regional telecom infrastructure is under sustained, multi-actor pressure.

Other Providers in the Dataset

Beyond STC, several other providers feature prominently. UAE-based SERVERS TECH FZCO was linked to more than 100 C2 nodes, reflecting the use of smaller virtualised hosting providers as a complement to large telecom networks. Israel's OMC registered more than 60 C2 servers. Turkey's Turk Telekom hosted 44 C2 servers and led all providers in malware diversity, with six distinct malware families operating across nine unique endpoints, the highest family-to-endpoint ratio in the dataset.

Iraq's Regxa Company maintained a smaller absolute footprint but carries the highest bulletproof hosting rating in the dataset. A bulletproof rating indicates a provider with a consistent pattern of slow or non-responsive abuse handling, making it an attractive long-term home for infrastructure that must survive takedown attempts. Regxa's combination of small size, high tolerance for abuse, and acceptance of cryptocurrency payments makes it a stable operational base for threat actors who need persistence over visibility.

The pattern across providers illustrates a deliberate strategic approach. Attackers blend across large consumer internet networks, smaller VPS operators, specialised hosting firms, and providers known for minimal abuse intervention. This layered approach ensures that the takedown of any single node does not disrupt the broader operation.

The Malware Ecosystem Operating Across This Infrastructure

The malware families and offensive frameworks identified across this infrastructure span the full spectrum from commodity botnets to nation-state-grade tooling.

Tactical RMM led all categories with 92 unique C2 IP addresses. Tactical RMM is a legitimate remote management tool that has been systematically weaponised by threat actors as a living-off-the-land framework. Its abuse is particularly difficult to detect because it generates traffic patterns that are nearly indistinguishable from legitimate enterprise IT management activity.

The Keitaro traffic distribution system appeared on 71 C2 IPs, functioning as a routing layer for malvertising and phishing campaigns. Acunetix infrastructure was detected on 38 IPs, Gophish on 31. Offensive post-exploitation frameworks including Cobalt Strike, Sliver, and AsyncRAT were present across multiple providers, confirming the simultaneous operation of both financially motivated criminal groups and sophisticated persistent threat actors within the same infrastructure ecosystem.

IoT-focused botnets including Mirai, Mozi, and Hajime were also present in significant numbers. These botnets are significant not only for their direct threat capability but because routers, cameras, and other poorly secured network devices can be absorbed into large relay networks with minimal visibility to their owners or the telecoms carrying their traffic.

Active Campaigns Confirmed Against This Infrastructure

Multiple real-world campaigns were directly tied to this infrastructure during the observation period.

The Phorpiex (Twizt) botnet was confirmed operating from Syrian Telecom infrastructure at IP address 94.252.245[.]193, delivering encrypted payloads that included the XMRig cryptocurrency miner alongside LockBit Black ransomware. The hybrid HTTP and peer-to-peer architecture used by this variant makes it particularly resilient against takedown efforts.

The Eagle Werewolf espionage cluster was linked to Regxa-hosted infrastructure in Iraq, deploying EchoGather RAT and Sliver via phishing lures and Telegram-based social engineering. Eagle Werewolf used lures styled around Starlink registration and drone training materials, themes with clear relevance to regional audiences, to increase the credibility of the initial access attempt.

On Saudi Arabia's Mobily network, researchers confirmed active exploitation of CVE-2025-11953, a React Native CLI vulnerability tracked as Metro4Shell, with attackers delivering Base64-encoded PowerShell payloads and Rust-based malware after using encoded scripts to disable endpoint security tooling before execution.

Iran-hosted infrastructure connected to AbrArvan CDN supported the RondoDox botnet, which peaked at 15,000 daily exploit attempts across 174 vulnerabilities using Mirai-like techniques. Egypt's TE Data network hosted infrastructure tied to an AI-powered AWS intrusion campaign involving credential theft and LLMjacking operations.

Researchers also identified DYNOWIPER destructive malware infrastructure and ClickFix social engineering chain components operating across the dataset, confirming the presence of destructive and manipulation-focused attack capability alongside the more widely discussed ransomware and espionage activity.

Why Infrastructure-Level Tracking Changes Everything

The most strategically significant recommendation from the Hunt.io analysis is the shift from indicator-based detection to infrastructure-centric defence. Traditional security operations built around blocking malicious IP addresses, domains, and file hashes are facing a sustainability problem. Attackers automate infrastructure rotation faster than defenders can update block lists. Domains disappear. IP addresses change. Payload hashes evolve within hours of detection. But the hosting providers, ASN patterns, server configurations, certificate relationships, and network paths that attackers rely on remain far more stable.

In several documented cases from this dataset, infrastructure linked to advanced persistent threat groups was identified weeks before actual attacks were launched. Defenders who monitor at the provider and network level, rather than the indicator level, have the ability to detect preparation activity before a campaign is fully activated, a capability that purely reactive indicator-based tools cannot provide.

For the GCC enterprise security community, this means investing in threat intelligence platforms and internal capabilities that track infrastructure relationships rather than just consuming IOC feeds. It means building detection rules that fire on behavioural patterns, such as outbound connections to specific ASN clusters or unusual use of legitimate remote management tools, rather than waiting for known-bad signatures to appear.

The Commercial Dimension for Gulf Digital Economies

This infrastructure problem extends beyond individual organisations. Saudi Arabia, the UAE, and the broader GCC are investing heavily in cloud services, AI infrastructure, fintech platforms, digital government services, and smart-city systems. All of those ambitions depend on trusted connectivity. A telecom and hosting ecosystem repeatedly used by attackers operating ransomware, espionage tooling, and destructive malware becomes a silent operational base for campaigns aimed at banks, energy firms, transport networks, public bodies, and cross-border supply chains.

The commercial message is clear. Telecom operators and hosting providers across the region face growing pressure to invest in abuse detection, customer notification systems, faster suspension of malicious virtual servers, stronger identity checks at onboarding, and closer cooperation with national cyber agencies including the UAE Cybersecurity Council and Saudi Arabia's NCA. Enterprises using regional providers should review egress filtering, DNS monitoring, endpoint controls, and threat-hunting rules tied to suspicious C2 communication behaviour.

The broader lesson from this dataset is one that applies to every organisation operating in the region: size creates visibility problems. Large providers process enormous traffic volumes, and separating malicious operations from legitimate activity becomes significantly harder at scale. That challenge will not diminish as the region's digital economy grows. It will intensify.

Key Indicators of Compromise

Security teams should cross-reference the following against their SIEM and threat intelligence platforms. All indicators are intentionally formatted to prevent accidental resolution.

  • 94.252.245[.]193: Phorpiex (Twizt) C2 on Syrian Telecom, hybrid HTTP and P2P architecture delivering XMRig and LockBit Black
  • 93.113.62[.]247: Phishing campaign on Netinternet (Turkey) targeting cloud storage credentials
  • 5.109.182[.]231: CVE-2025-11953 (Metro4Shell) exploitation on Mobily (Saudi Arabia)
  • 37.32.15[.]8: RondoDox botnet on AbrArvan CDN (Iran), active since May 2025, peaking at 15,000 daily exploit attempts
  • 197.51.170[.]131: AI-powered AWS intrusion campaign on TE Data (Egypt), credential theft and LLMjacking

Omar Al-Hakeem

Senior Cyber Threat Analyst | MENA Region

Omar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.

Intelligence Focus Areas

GCC Threat IntelligenceMENA Cyber Threats 2026Telecom Network SecurityCommand and ControlBotnet Activity MENAGulf Cybersecurity NewsMiddle East Threat ActorsSaudi Arabia Cyber RiskUAE Cybersecurity