Saudi Telecom Company Controls 72% of Middle East’s C2 Infrastructure, Exposing Cybersecurity Vulnerabilities

Recent findings reveal a striking concentration of command-and-control (C2) infrastructure in the Middle East, with the Saudi Telecom Company (STC) hosting over 72% of the region’s active servers. This situation highlights the pivotal role that a limited number of telecom providers play in enabling malware activities across the area.

Mapping the Malicious Landscape

A comprehensive study conducted by Hunt.io has identified more than 1,350 C2 servers distributed among 98 providers across 14 Middle Eastern countries. This analysis not only underscores the vast amount of malicious infrastructure but also its concerning concentration among a few key providers. The study indicates that many of these servers may be compromised customer systems rather than intentionally malicious hosting, yet they still significantly contribute to the flow of attacker traffic.

The report notes that the same providers frequently appear across various unrelated malware campaigns. This trend suggests that monitoring infrastructure at the provider level may yield more consistent insights compared to tracking individual indicators, which can change rapidly.

Diverse Malware Activity

The research further indicates that different telecom providers attract distinct types of malware activity. For example, Türk Telekom exhibited the highest diversity of malware, hosting infrastructure linked to six separate malware families across multiple C2 endpoints. Conversely, Regxa, an Iraqi provider, was recognized for its “bulletproof hosting” profile, indicating a strong capacity for supporting malicious operations.

Infrastructure associated with Regxa was identified as hosting C2 servers linked to a February 2026 espionage campaign attributed to the Eagle Werewolf cluster. This campaign targeted state and industrial entities using various deceptive tactics, including Starlink registration and drone training lures. The multi-stage attack chain deployed various malware types, showcasing the complexity and sophistication of the threats emerging from this infrastructure.

Implications for Cybersecurity

The concentration of C2 servers within a small number of providers presents unique challenges for cybersecurity professionals. While blocking individual IP addresses may seem straightforward, the interconnected nature of these networks complicates efforts to mitigate threats. Many observed activities occur within trusted commercial environments, making it difficult to isolate and eliminate malicious infrastructure without affecting legitimate services.

The report clarifies that the providers themselves are not necessarily complicit in these activities. Instead, attackers often exploit compromised servers or inexpensive virtual private servers (VPS) acquired through standard commercial channels. This dynamic illustrates the complex interplay between legitimate and malicious activities within the cybersecurity landscape.

The Shift in Threat Hunting

The findings from this report reflect a broader shift in threat hunting strategies. Security teams are increasingly overwhelmed by short-lived indicators that quickly become irrelevant. In contrast, infrastructure-level analysis tends to provide more enduring insights, as attackers often reuse providers, VPS environments, and operational habits, even as their malware evolves.

The research also indicates that malicious infrastructure is becoming increasingly integrated into legitimate environments. This blending poses significant challenges for defenders, who must navigate the complexities of distinguishing between benign and malicious activities within the same networks.

Understanding the Threat Landscape

The data from Hunt.io’s three-month analysis clearly demonstrates that malicious infrastructure in the Middle East is not evenly distributed. With STC hosting 981 C2 servers—representing 72.4% of all detected C2 infrastructure in the region—the findings reveal a threat landscape characterized by significant concentration. Understanding which providers consistently appear in the data can inform how defenders prioritize, block, and monitor potential threats.

For more detailed insights and ongoing updates on cybersecurity developments, threat intelligence, and breaking news, visit cyberwarriorsmiddleeast.com.

For ongoing coverage and breaking updates, visit our Latest News section.

Published on 2026-05-22 21:55:00 • By the Editorial Desk