Hunt.io Finds 1,350+ C2 Servers Abusing Middle East Telecom Networks
Over 1,350 active command-and-control servers were found across 98 Middle Eastern infrastructure providers, with Saudi Telecom Company alone hosting 72% of regional C2 infrastructure.
Hackers are using telecom networks and hosting providers across the Middle East as a foundation for massive command-and-control operations, turning trusted infrastructure into a launchpad for cyberattacks. A newly released threat intelligence report reveals that more than 1,350 active command-and-control (C2) servers were identified across 98 infrastructure providers in the region within just three months.
The scale of the activity is striking. Researchers analyzed infrastructure across 14 countries, including Saudi Arabia, the UAE, Turkey, Israel, Iraq, Iran, Egypt, and Syria, and found that C2 infrastructure makes up roughly 93% of all malicious activity detected. The remaining share is split between exposed malicious directories, phishing sites, and publicly documented threat indicators.
Analysts at Hunt.io said in a report shared with Cyber Security News that their Host Radar module was used to correlate C2 servers, phishing infrastructure, and open directories back to the providers and network operators supporting them. The findings paint a clear picture of how attackers deliberately pick specific hosting environments to build out their operations.
What makes the report particularly alarming is not just the volume, but the concentration. Saudi Arabia's STC (Saudi Telecom Company) alone accounts for 981 of the detected C2 servers, which is 72.4% of all regional C2 infrastructure, the largest concentration observed at any single provider worldwide. Researchers believe this reflects abuse of compromised customer endpoints rather than servers directly managed by the provider.
The types of threats running on this infrastructure range widely. IoT-focused botnets, offensive hacking frameworks, phishing kits, ransomware delivery systems, and state-sponsored espionage tools were all found operating across the same regional networks. This points to a broader threat landscape where criminal groups and nation-state actors share the same underlying infrastructure.
Several active attack campaigns were tied directly to this infrastructure. The Phorpiex (Twizt) botnet was found running on Syrian Telecom infrastructure, using a hybrid setup combining standard web communication with a peer-to-peer layer to deliver encrypted payloads. A separate espionage campaign linked to the Eagle Werewolf cluster used Iraqi hosting on Regxa infrastructure to deploy multiple remote access tools via phishing lures based on Starlink registration and drone training themes.
Defenders are encouraged to shift focus away from chasing individual threat indicators and instead monitor the hosting providers, ASNs, and network-level patterns that attackers return to repeatedly. Hunt.io noted that tracking infrastructure at the provider level gives security teams a way to anticipate attacker behavior rather than simply reacting after the fact.