Saudi Telecom Company Dominates Middle East’s C2 Infrastructure with 72% of Active Servers
Recent research has unveiled a significant concentration of command-and-control (C2) infrastructure in the Middle East, with the Saudi Telecom Company (STC) hosting over 72% of the region’s active servers. This revelation underscores the critical role that a limited number of telecom providers play in facilitating malware activities across the region.
Mapping the Malicious Landscape
A comprehensive study conducted by Hunt.io has mapped more than 1,350 C2 servers across 98 providers in 14 Middle Eastern countries. This extensive analysis highlights not only the sheer volume of malicious infrastructure but also its alarming concentration within a few key providers. The findings suggest that while many of these servers may be compromised customer systems rather than intentionally malicious hosting, they still contribute significantly to the flow of attacker traffic.
The report emphasizes that the same providers frequently appear across various unrelated malware campaigns. This observation indicates that tracking infrastructure at the provider level may yield more consistent insights than monitoring individual indicators, which can change rapidly.
Diverse Malware Activity
The research further reveals that different telecom providers attract distinct types of malware activity. Türk Telekom, for instance, exhibited the highest diversity of malware, hosting infrastructure linked to six separate malware families across multiple C2 endpoints. Regxa, an Iraqi provider, was noted for its “bulletproof hosting” profile, indicating a robust capacity for supporting malicious operations.
Infrastructure associated with Regxa was identified as hosting C2 servers linked to a February 2026 espionage campaign attributed to the Eagle Werewolf cluster. This campaign targeted state and industrial entities using various deceptive tactics, including Starlink registration and drone training lures. The multi-stage attack chain deployed various malware types, showcasing the complexity and sophistication of the threats emerging from this infrastructure.
Implications for Cybersecurity
The concentration of C2 servers within a small number of providers presents a unique challenge for cybersecurity professionals. Blocking individual IP addresses is relatively straightforward; however, the interconnected nature of these networks complicates efforts to mitigate threats. Many of the observed activities occur within trusted commercial environments, making it difficult to isolate and eliminate malicious infrastructure without impacting legitimate services.
The report does not imply that the providers themselves are complicit in these activities. Instead, it suggests that attackers often exploit compromised servers or inexpensive virtual private servers (VPS) acquired through standard commercial channels. This dynamic illustrates the complex interplay between legitimate and malicious activities within the cybersecurity landscape.
The Shift in Threat Hunting
The findings from this report reflect a broader shift in threat hunting strategies. Security teams are increasingly overwhelmed by short-lived indicators that quickly become irrelevant. In contrast, infrastructure-level analysis tends to provide more enduring insights, as attackers often reuse providers, VPS environments, and operational habits, even as their malware evolves.
The research also indicates that malicious infrastructure is increasingly integrated into legitimate environments. This blending poses significant challenges for defenders, who must navigate the complexities of distinguishing between benign and malicious activities within the same networks.
Conclusion
The data from Hunt.io’s three-month analysis makes it clear that malicious infrastructure in the Middle East is not evenly distributed. With STC hosting 981 C2 servers—representing 72.4% of all detected C2 infrastructure in the region—the findings highlight a threat landscape characterized by significant concentration. Understanding which providers consistently appear in the data can inform how defenders prioritize, block, and monitor potential threats.
For more detailed insights and ongoing updates on cybersecurity developments, threat intelligence, and breaking news, visit Security Affairs.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
