Threat Overview
The latest Hunt.io intelligence release, Middle East Malicious Infrastructure Report, documents more than one thousand three hundred fifty command‑and‑control (C2) servers distributed across ninety‑eight hosting and telecom providers in fourteen Middle Eastern countries. The data, collected over a 90‑day window from February to May 2026, shows that the region’s malicious ecosystem is highly concentrated: a single carrier accounts for nearly three quarters of all C2 activity while a handful of VPS and cloud operators contribute the remainder.
How We Analyzed
Hunt.io’s Host Radar module correlates telemetry—C2, phishing, open directories, and public IOCs—to the underlying hosting providers and network operators. By filtering on country codes (AE, BH, CY, EG, IL, IQ, IR, JO, KW, LB, PS, SA, SY, TR) we identified 98 distinct infrastructure providers that hosted malicious assets.
Key Observations
- 1,357 active C2 servers were detected across the 98 providers.
- C2 represented 93% of all artifacts; phishing and public IOCs each <0.5%; open directories made up 3.1%.
- Saudi Telecom Company (STC) alone hosted 981 C2 servers, equal to 72.4% of the regional total—an unprecedented concentration for a single telecom.
- A small set of providers dominated: SERVERS TECH FZCO (UAE), OMC (Israel), Türk Telekom (Turkey), and Regxa (Iraq) followed STC in C2 volume.
- IoT‑oriented botnets (Hajime, Mozi, Mirai) and offensive frameworks (Tactical RMM, Sliver, Cobalt Strike) were the most common malware families.
Top Providers
The following providers host the largest C2 footprints:
- Saudi Telecom Company – 981 servers (72.4% of all).
- SERVERS TECH FZCO – 111 servers.
- OMC – 62 servers.
- Türk Telekom – 44 servers.
- Regxa – 38 servers.
Other notable operators include SERV.HOST GROUP (Cyprus), Hosting Dünyam (Turkey), SUNUCUN BILGI (Turkey), IHS Kurumsal Teknoloji (Turkey), and Paltel (Palestine).
Malware Family Distribution
A query against HuntSQL revealed the following top families:
- Tactical RMM – 92 unique C2 IPs.
- Keitaro – 71 IPs.
- Acunetix – 38 IPs.
- Gophish – 31 IPs.
- Mozi – 24 IPs; Hajime – 22 IPs.
Offensive frameworks such as Prism X, AsyncRAT, Sliver, Cobalt Strike, and Mirai also appear across the dataset.
Malicious Campaigns in Context
Examples of active campaigns linked to the identified infrastructure:
- An Iranian‑linked botnet (Phorpiex/Twizt) operated from 94[.]252[.]245[.]193, hosted on Syrian Telecom, delivering miners and ransomware.
- The Eagle Werewolf espionage cluster used C2 domains hosted by Regxa in Iraq; the attack chain included EchoGather RAT and Sliver implants.
- A phishing operation impersonating generic cloud storage was linked to 93[.]113[.]62[.]247, hosted on Netinternet Bilisim Teknolojileri (Turkey).
- The Metro4Shell RCE exploitation campaign used 5[.]109[.]182[.]231 on Saudi Mobily, bypassing Defender exclusions.
Recommendations for Defenders
Given the concentration of malicious activity in a few providers, security teams should adopt a host‑centric approach:
- Map your organization’s traffic to provider ASNs. If a majority of inbound connections originate from one of the top 10 Middle Eastern hosts, consider rate limiting or blocking at the perimeter.
- Deploy real‑time DNS monitoring. Track any domain resolution that points to the identified C2 IP ranges; automated alerts can surface compromised assets before exploitation.
- Implement proactive threat hunting. Use Host Radar data to search for internal hosts communicating with known malicious endpoints. Focus on outbound traffic from internal servers to the 981 STC‑hosted IPs.
- Strengthen abuse response agreements. Engage with hosting providers that have low bulletproof ratings (e.g., SERVERS TECH FZCO) and demand stricter mitigation protocols for suspicious activity logs.
By shifting the focus from individual indicators to provider‑level patterns, defenders can anticipate attacker infrastructure moves rather than react to each new IP or domain. This strategy reduces alert fatigue and improves detection accuracy across the Middle Eastern threat landscape.

