Telecommunications infrastructures across the Middle East are being manipulated by hackers to facilitate large-scale command-and-control (C2) operations. A recent threat intelligence report highlights the misuse of these networks, transforming them into platforms for launching cyberattacks.
Widespread Command-and-Control Activities
In a three-month period, over 1,350 active C2 servers were identified across 98 infrastructure providers in the region, according to the report. This extensive activity covers 14 countries, including Saudi Arabia, the UAE, Turkey, Israel, and others. Notably, C2 infrastructure comprises 93% of all detected malicious activities, dwarfing other threats like phishing sites and exposed directories.
Hunt.io researchers utilized their Host Radar module to correlate C2 servers and malicious infrastructure back to their network sources. This analysis indicates a deliberate selection of hosting environments by attackers, underscoring the strategic concentration of cyber threats.
Significant Findings in Saudi Telecom Networks
Saudi Telecom Company (STC) emerges as a major hub for these operations, housing 981 C2 servers, which accounts for 72.4% of the region’s C2 infrastructure. Researchers suggest this is due to the exploitation of compromised customer endpoints rather than the provider’s direct involvement.
The threats leveraging this infrastructure are diverse, ranging from IoT botnets and phishing kits to state-sponsored espionage tools. These findings highlight the shared use of underlying infrastructure by both criminal groups and nation-state actors.
Implications for Regional Network Security
Beyond STC, other telecoms like Türk Telekom and hosting providers such as SERVERS TECH FZCO in the UAE are also implicated. Türk Telekom hosts 44 C2 servers and exhibits a wide variety of malware, while specialized providers like Regxa Company in Iraq maintain high bulletproof ratings, indicating slow responses to abuse.
Notable malware families include Tactical RMM, Keitaro, and Gophish, among others. These threats are corroborated by offensive frameworks like Cobalt Strike and AsyncRAT, confirming the active presence of both low-level and advanced cyber actors.
Regional Cyber Threats and Defensive Strategies
Various campaigns are actively exploiting this infrastructure. For instance, the Phorpiex botnet operates on Syrian Telecom, while the Eagle Werewolf espionage campaign uses Iraqi hosting for phishing attacks. Additionally, vulnerabilities like CVE-2025-11953 are being targeted on networks such as Saudi Arabia’s Mobily.
Security experts recommend focusing on monitoring hosting providers and network patterns rather than individual threat indicators. This proactive approach could enable security teams to anticipate and mitigate attacks more effectively.
For more updates, follow Cyber Security News on Google News, LinkedIn, and X, and consider setting it as a preferred source on Google.
