By rssfeeds-admin .webp?ssl=1 "Hackers Abuse Middle East Telecom Networks for Large-Scale Command-and-Control Operations")
Hackers are using telecom networks and hosting providers across the Middle East as a foundation for massive command-and-control operations, turning trusted infrastructure into a launchpad for cyberattacks.
A newly released threat intelligence report reveals that more than 1,350 active command-and-control (C2) servers were identified across 98 infrastructure providers in the region within just three months.
The scale of the activity is striking. Researchers analyzed infrastructure across 14 countries, including Saudi Arabia, the UAE, Turkey, Israel, Iraq, Iran, Egypt, and Syria, and found that C2 infrastructure makes up roughly 93% of all malicious activity detected.
The remaining share is split between exposed malicious directories, phishing sites, and publicly documented threat indicators.
Analysts at Hunt.io said in a report shared with Cyber Security News (CSN) that their Host Radar module was used to correlate C2 servers, phishing infrastructure, and open directories back to the providers and network operators supporting them.
The findings paint a clear picture of how attackers deliberately pick specific hosting environments to build out their operations. What makes the report particularly alarming is not just the volume, but the concentration.
Saudi Arabia’s STC (Saudi Telecom Company) alone accounts for 981 of the detected C2 servers, which is 72.4% of all regional C2 infrastructure, the largest concentration observed at any single provider worldwide.
Researchers believe this reflects abuse of compromised customer endpoints rather than servers directly managed by the provider.
The types of threats running on this infrastructure range widely. IoT-focused botnets, offensive hacking frameworks, phishing kits, ransomware delivery systems, and state-sponsored espionage tools were all found operating across the same regional networks.
This pointing to a broader threat landscape where criminal groups and nation-state actors share the same underlying infrastructure.
Hackers Abuse Middle East Telecom Networks
The abuse of major telecom carriers is one of the most defining features of this threat landscape. Beyond STC, other major telecoms appear in the data, including Türk Telekom with 44 C2 servers and 6 exposed malicious directories.
Türk Telekom also leads in malware diversity, hosting 6 distinct malware families across 9 unique C2 endpoints, the highest ratio in the dataset. Alongside the big telecoms, specialized hosting providers are playing a growing role.
SERVERS TECH FZCO in the UAE was tied to 111 C2 servers, while Regxa Company in Iraq showed 38 C2 servers and carried the highest bulletproof rating of any provider in the dataset. A bulletproof rating indicates a hosting provider has a pattern of being slow to respond to abuse reports.
The dominant malware families running across these networks include Tactical RMM with 92 unique C2 IPs, Keitaro traffic distribution system with 71, Acunetix with 38, and Gophish with 31.
Offensive frameworks like Cobalt Strike, Sliver, and AsyncRAT also appeared, confirming that both commodity criminals and sophisticated attackers are active in the same space.
Malicious Campaigns Observed Across the Region
Several active attack campaigns were tied directly to this infrastructure. The Phorpiex (Twizt) botnet was found running on Syrian Telecom infrastructure, using a hybrid setup combining standard web communication with a peer-to-peer layer to deliver encrypted payloads, including a cryptocurrency miner that has previously distributed LockBit Black ransomware.
A separate espionage campaign linked to the Eagle Werewolf cluster used Iraqi hosting on Regxa infrastructure to deploy multiple remote access tools via phishing lures based on Starlink registration and drone training themes.
On Saudi Arabia’s Mobily network, researchers found active exploitation of CVE-2025-11953, a React Native CLI vulnerability, where attackers used encoded scripts to disable security tools before downloading malicious binaries.
Iran-hosted infrastructure was linked to the RondoDox botnet, which peaked at 15,000 daily exploit attempts against internet-exposed devices.
Defenders are encouraged to shift focus away from chasing individual threat indicators and instead monitor the hosting providers, ASNs, and network-level patterns that attackers return to repeatedly.
Hunt.io noted that tracking infrastructure at the provider level gives security teams a way to anticipate attacker behavior rather than simply reacting after the fact.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IP Address | 94.252.245[.]193 | Phorpiex (Twizt) botnet C2 server hosted on Syrian Telecom infrastructure; hybrid HTTP and P2P C2 architecture |
| IP Address | 93.113.62[.]247 | Phishing campaign hosted on Netinternet (Turkey) impersonating Cloud Storage services to harvest payment details |
| IP Address | 5.109.182[.]231 | Metro4Shell (CVE-2025-11953) RCE exploitation campaign hosted on Mobily (Saudi Arabia) |
| IP Address | 37.32.15[.]8 | RondoDox botnet exploitation infrastructure hosted on AbrArvan CDN (Iran); active since May 2025 |
| IP Address | 197.51.170[.]131 | AI-powered AWS intrusion campaign; hosted on TE Data (Egypt); linked to credential theft and LLMjacking |
| Malware Family | Tactical RMM | Legitimate remote management tool abused for post-exploitation C2; 92 unique IPs across Middle East |
| Malware Family | Keitaro TDS | Traffic distribution system used in malvertising and phishing campaigns; 71 C2 IPs |
| Malware Family | Phorpiex / Twizt | Botnet delivering XMRig miner and LockBit Black ransomware via hybrid C2 on Syrian Telecom |
| Malware Family | RondoDox | Mirai-like botnet; 174 exploits; peaked at 15,000 daily attempts; Iranian CDN hosting |
| Malware Family | EchoGather RAT | Deployed via Telegram channels in Eagle Werewolf espionage campaign on Regxa (Iraq) infrastructure |
| Malware Family | AquilaRAT | Rust-based backdoor used in Eagle Werewolf campaign with rotating C2 domains |
| Malware Family | SoullessRAT | Delivered via fake AlphaFly installer in Eagle Werewolf multi-stage attack chain |
| Malware Family | DYNOWIPER | Destructive wiper malware attributed to ENERGETIC BEAR; hosted on CLODO CLOUD SERVICE (UAE) |
| CVE | CVE-2025-11953 | Metro4Shell vulnerability in React Native CLI; exploited via Saudi Arabia’s Mobily network |
| Infrastructure | regxa.iq | Regxa Company for Information Technology Ltd (Iraq); highest bulletproof rating in dataset; Eagle Werewolf C2 hosting |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Abuse Middle East Telecom Networks for Large-Scale Command-and-Control Operations appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.