Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers
Published on
Threat intelligence that relies on disposable indicators locks defenders into a reactive loop of detection and evasion. Shifting focus to provider-level infrastructure disrupts that cycle by exposing the hosting providers, cloud platforms, and telecom networks that consistently underpin malicious activity, allowing defenders to anticipate adversary behavior instead of chasing it.
We've seen this play out repeatedly across the region. Iranian-nexus actors have been caught staging operations weeks before activation, botnet operators leaving entire relay networks exposed through misconfigured directories, and APT infrastructure sitting dormant on Iraqi hosting waiting to be activated. In each case, the infrastructure told the story before the attack did.
During the last three months (1 Feb 2026 - 1 May 2026) analysis window, we identified more than 1,350 active command-and-control (C2) servers operating across 98 Middle East infrastructure providers, spanning shared hosting platforms, virtual server providers, and telecommunications networks across 14 countries.
How We Analyzed Middle East Malicious Infrastructure
Host Radar, a core module of Hunt.io, was designed to address this gap by correlating C2 servers, phishing infrastructure, malicious open directories, and public IOCs back to the hosting providers and network operators that sustain them.
Using Host Radar, we analyzed telemetry associated with Middle Eastern infrastructure providers across the UAE, Saudi Arabia, Turkey, Israel, Iraq, Iran, Cyprus, Egypt, Kuwait, Lebanon, Palestine, Jordan, Bahrain, and Syria. The results reveal not only the scale of active C2 infrastructure, but also the dominance of specific malware families, and how frequently major telecommunications networks and hosting providers show up in the infrastructure tied to both commodity cybercrime and advanced threat operations.
This analysis surfaced clear patterns in how malicious infrastructure is distributed, reused, and concentrated across Middle Eastern hosting environments.
Before going deeper, these are the findings that shaped the entire analysis.
Key Observations
More than 1,350 C2 servers were identified across 98 Middle East infrastructure providers within the past 3 months.
C2 infrastructure dominates malicious activity (~96.8%), far exceeding phishing infrastructure (~0.5%) and publicly reported IOCs (~0.5%), while malicious open directories account for the remaining ~2.2% of observed artifacts.
Saudi Arabia's STC (Saudi Telecom Company) hosts 981 C2 servers, representing 72.4% of all detected C2 infrastructure in the region, the largest concentration observed across any single provider globally.
A small set of hosting providers accounts for a disproportionate share of malicious infrastructure, with STC, SERVERS TECH FZCO (UAE), OMC (Israel), Türk Telekom, and Regxa (Iraq) hosting the largest volumes of detected C2 servers.
IoT-focused botnets (Hajime, Mozi, and Mirai) combined with offensive frameworks (Tactical RMM, Cobalt Strike, Sliver) represent the dominant malware families operating across Middle Eastern infrastructure.
Middle Eastern hosting environments support diverse malicious operations, including state-sponsored espionage campaigns, MaaS (Malware-as-a-Service) platforms, cryptomining operations, and targeted intrusion activity.
The hosting layer is where that concentration becomes most visible, so that is where we start.
Top Middle East Infrastructure Providers
The Host Radar summary for the top five Middle Eastern infrastructure providers highlights the scale and diversity of malicious activity observed across these organizations over the last three months.
STC (Saudi Telecom Company), Saudi Arabia's leading telecommunications provider, exhibits the highest number of C2 servers among all analyzed Middle Eastern providers, with 981 detected over 90 days. This extraordinary concentration representing 72.4% of all regional C2 infrastructure suggests that STC's massive telecommunications network and customer base are being leveraged at scale for command-and-control operations, likely through compromised customer endpoints rather than provider-hosted infrastructure.
Figure 1. STC (Saudi Telecom Company) - Host Radar Detailed View: Per-provider Host Radar breakdown for STC, highlighting the unprecedented concentration of C2 activity across Saudi Arabia's largest telecommunications network.SERVERS TECH FZCO, a UAE-based technology solutions provider, shows significant malicious activity with 111 C2 servers observed over 90 days, alongside 4 malicious open directories, 1 IOC, 12 IOC Hunter posts, and 1 phishing site, with a medium bulletproof rating and cryptocurrency payment acceptance.
This pattern indicates that specialized hosting providers offering flexible payment options and moderate abuse response times are observed across infrastructure tied to diverse threat actor activity deploying both C2 infrastructure and staging environments.
Figure 2. TECH FZCO - Host Radar Detailed View: Host Radar metrics for SERVERS TECH FZCO illustrating elevated C2 infrastructure presence alongside malicious open directories and documented IOC references.OMC (O.M.C. Computers & Communications Ltd), an Israeli hosting and telecommunications provider, exhibits 62 C2 servers over 90 days, carrying a medium bulletproof rating.
The presence of C2 infrastructure without broader malicious artifacts suggests isolated infrastructure abuse rather than large-scale coordinated campaigns, though the medium bulletproof rating reflects a pattern of repeated abuse observed within this network.
Figure 3. OMC - Host Radar Detailed View: Detailed Host Radar metrics showing OMC's moderate C2 infrastructure concentration with limited associated malicious artifacts.Türk Telekom, Turkey's leading telecommunications provider, shows 44 C2 servers alongside 6 malicious open directories over 90 days, carrying a medium bulletproof rating.
The presence of both C2 infrastructure and exposed malicious directories indicates that compromised Turkish telecommunications infrastructure serves as both command-and-control endpoints and staging environments for malware distribution.
Figure 4. Türk Telekom - Host Radar Detailed View: Host Radar metrics for Türk Telekom reflecting C2 infrastructure alongside malicious open directories within Turkey's primary telecommunications network.Regxa Company for Information Technology Ltd, an Iraqi IT solutions provider, demonstrates 38 C2 servers, 1 malicious open directory, 1 IOC, and 1 IOC Hunter post over 90 days, while carrying a high bulletproof rating, the highest observed across all Middle Eastern providers in this dataset.
This combination of persistent C2 infrastructure, documented IOC references, and high bulletproof rating suggests deliberate tolerance for malicious activity or limited abuse response within this provider's network.
Figure 5. Regxa Company for Information Technology Ltd - Host Radar Detailed View: Host Radar summary for the Iraqi provider, highlighting C2 infrastructure with the highest bulletproof rating observed across all Middle Eastern providers.With the top Middle Eastern infrastructure hosting providers in mind, let's now focus on analyzing the C2 infrastructure across different ISPs and regions.
C2 Infrastructure Across Middle East ISPs
This section describes how Host Radar was used to detect and attribute C2 infrastructure and related malicious artifacts operating within Middle Eastern hosting environments over a three-month observation window.
After applying Middle East country filters (AE, BH, CY, EG, IL, IQ, IR, JO, KW, LB, PS, SA, SY, TR), the Host Radar summary view reveals 98 distinct infrastructure providers operating within Middle Eastern ISPs, hosting providers, and cloud ecosystems that were associated with malicious activity.
This broad distribution shows the diversity of the Middle East's hosting ecosystem, where malicious infrastructure is spread across telecommunications giants, specialized VPS providers, and cloud platforms rather than concentrated in only a few networks.
Figure 6. Host Radar summary view showing malicious infrastructure detected across 98 Middle Eastern ISPs and hosting providers over a three-month analysis window.Dataset Scope and Observed Infrastructure Landscape Over the Middle East
Across the full set of 98 Middle Eastern infrastructure providers, Host Radar recorded 1,459 malicious artifacts during the three-month observation period. This includes 1,357 C2 servers, 45 malicious open directories, 7 indicators of compromise (IOCs) referenced in public research, 43 IOC Hunter posts, and 7 phishing sites.
The data reveals that C2 infrastructure accounts for the largest share of observed malicious activity at 93.0% of all detected artifacts. Malicious open directories represent 3.1%, IOC Hunter posts 2.9%, phishing sites 0.5%, and publicly reported IOCs 0.5%.
This distribution suggests that Middle Eastern hosting environments are primarily leveraged for C2 operations, with significantly fewer cases of exposed artifacts or phishing infrastructure compared to other global infrastructure ecosystems.
Figure 7. Aggregate breakdown of C2 servers (1,357), phishing sites (7), malicious open directories (45), IOC Hunter posts (43), and public IOCs (7) detected within Middle Eastern hosting environments.Concentration of C2 Infrastructure Across Middle East Providers
STC (Saudi Telecom Company) emerges as the dominant contributor with 981 detected C2 servers, representing an unprecedented 72.4% concentration of C2 infrastructure in this regional dataset.
This is followed by SERVERS TECH FZCO (111 C2 detections), OMC (62 C2 detections), Türk Telekom (44 C2 detections), and Regxa Company for IT Ltd (38 C2 detections), demonstrating how both large telecommunications providers and specialized hosting companies support regional malicious infrastructure.
Other prominent providers include SERV.HOST GROUP LTD (Cyprus, 25), Hosting Dünyam (Turkey, 15), SUNUCUN BILGI (Turkey, 7), IHS Kurumsal Teknoloji (Turkey, 6), and Paltel (Palestine, 6).
The presence of telecommunications giants alongside cryptocurrency-accepting VPS providers within the top rankings illustrates how diverse infrastructure types, from consumer ISP networks to bulletproof hosting environments, can all be leveraged for malware C2 infrastructure deployment across the Middle East.
Figure 8. Top 10 Middle Eastern infrastructure providers by number of detected C2 servers over a three-month window, highlighting the extreme concentration within Saudi Telecom Company alongside diverse regional hosting providers.Malware Family Distribution Within Middle East Networks
Using HuntSQL, we analyzed the distribution of command-and-control (C2) infrastructure across malware families hosted within Middle Eastern networks over three months.
Example Query:
SELECT
malware.name,
uniq(ip) AS COUNTS
FROM
malware
WHERE
(asn.country_code='AE' OR asn.country_code='BH' OR asn.country_code='CY'
OR asn.country_code='EG' OR asn.country_code='IL' OR asn.country_code='IQ'
OR asn.country_code='IR' OR asn.country_code='JO' OR asn.country_code='KW'
OR asn.country_code='LB' OR asn.country_code='PS' OR asn.country_code='SA'
OR asn.country_code='SY' OR asn.country_code='TR')
AND timestamp > NOW - 3 MONTH
GROUP BY
malware.name
ORDER BY
COUNTS DESC
CopyOutput Example:
Figure 9. HuntSQL query output showing the dominant malware families hosting C2 infrastructure within Middle East networks over three months.The results reveal that Tactical RMM leads the dataset with 92 unique C2 IPs, representing the largest concentration of C2 infrastructure observed in Middle Eastern hosting environments, reflecting widespread abuse of this legitimate remote management tool for post-exploitation operations.
The second largest cluster, Keitaro (71 C2s), represents a traffic distribution system (TDS) infrastructure used in malvertising, phishing, and exploit kit campaigns, indicating coordinated campaigns leveraging regional advertising networks and compromised websites.
Acunetix (38 C2s) and Gophish (31 C2s) reflect active scanning and phishing infrastructure, while IoT-focused botnets Mozi (24 C2s) and Hajime (22 C2s) demonstrate continued exploitation of compromised embedded devices across the region.
Several offensive security frameworks and post-exploitation platforms also appear prominently in the dataset. These include Prism X (13), AsyncRAT (12), Sliver (10), Cobalt Strike (8), and Mirai (8), indicating that both commodity malware and sophisticated APT tooling leverage Middle Eastern infrastructure.
This concentration lets defenders focus on shared infrastructure patterns rather than chasing individual malware variants.
Figure 10. Bar graph illustrating the distribution of the Top 10 Malware Command-and-Control (C2) Families observed across Middle East infrastructure over the last three months.Infrastructure Providers Hosting the Widest Malware Diversity
A HuntSQL query was designed to surface organizations hosting the widest variety of malware activity within Middle Eastern networks over the last three months. The query aggregates telemetry by org.name and calculates the number of distinct C2 IPs attributed to an organization (Unique_C2) as well as Unique_Malware, which reflects the diversity of malware families observed within that infrastructure.
Example Query:
SELECT
org.name,
uniq(ip) AS Unique_C2,
uniq(malware.name) AS Unique_Malware
FROM
malware
WHERE
org.name != ""
AND (asn.country_code='AE' OR asn.country_code='BH' OR asn.country_code='CY'
OR asn.country_code='EG' OR asn.country_code='IL' OR asn.country_code='IQ'
OR asn.country_code='IR' OR asn.country_code='JO' OR asn.country_code='KW'
OR asn.country_code='LB' OR asn.country_code='PS' OR asn.country_code='SA'
OR asn.country_code='SY' OR asn.country_code='TR')
AND timestamp > NOW - 3 MONTH
GROUP BY
org.name
ORDER BY
Unique_Malware DESC
CopyOutput Example:
Figure 11. A HuntSQL query aggregating malware telemetry by a Middle East organization to identify providers hosting the widest variety of malware families.The results reveal that malware activity is concentrated within a relatively small set of hosting and telecommunications providers, many of which support large-scale virtual server and telecommunications environments.
Turk Telekomunikasyon Anonim Sirketi leads in malware diversity, hosting 6 distinct malware families across 9 unique C2 endpoints, demonstrating the highest malware-to-C2 ratio in the dataset and suggesting multiple unrelated threat operations leveraging Turkish telecommunications infrastructure.
HOSTING DUNYAM BILISIM TEKNOLOJILERI hosts 5 distinct malware families across 7 unique C2 endpoints, while O.M.C. COMPUTERS & COMMUNICATIONS LTD also hosts 5 distinct malware families across 8 unique C2 endpoints.
Other providers with notable malware diversity include BlueVPS OU (4 malware families), Private Customer (4), SUNUCUN BILGI (4), NTT DATA (3), Oracle Corporation (3), Microsoft Corporation (3), TE Data (3), and several others.
Figure 12. Malware Diversity vs. C2 Volume Across Middle East ISPs - Turkish Telekom leads in malware diversity per C2, while larger providers show concentrated single-family operations.That malware diversity maps directly to operational variety. IOC Hunter surfaced campaigns spanning ransomware delivery, state-sponsored espionage, MaaS platforms, and destructive attacks, all running on the same regional infrastructure.
Malicious Campaigns Observed Across Middle East Hosting Environments
The following examples illustrate how the infrastructure patterns identified above translate into active malware campaigns, state-sponsored espionage operations, MaaS platforms, and targeted intrusion campaigns within Middle Eastern hosting environments.
Over the observation period, Hunt.io tracking surfaced Phorpiex (Twizt) botnet C2 server at 94.252.245[.]193 hosted on Syrian Telecom infrastructure, operating a hybrid C2 architecture combining HTTP endpoints with a resilient peer-to-peer UDP layer on port 40,500. The campaign delivered encrypted high-entropy payloads, including XMRig miner, and has previously distributed LockBit Black ransomware.
Figure 13. Hunt.io IP intelligence "94.252.245[.]193" highlighting Syrian Telecom infrastructure hosting Phorpiex/Twizt C2 servers with a hybrid HTTP and P2P command-and-control architecture.Infrastructure hosted on Regxa Company for Information Technology Ltd (regxa.iq) was identified as hosting C2 associated with a February 2026 espionage campaign attributed to the Eagle Werewolf cluster, targeting state and industrial entities using Starlink registration and drone training lures. The multi-stage attack chain deployed EchoGather RAT via Telegram channels and phishing pages, Sliver implant via DLL side-loading through Fondue.exe, SoullessRAT via fake AlphaFly installer, and AquilaRAT (Rust backdoor) leveraging multiple rotating C2 domains.
Figure 14. Hunt.io IP intelligence for Regxa Iraq infrastructure hosting Eagle Werewolf APT C2 domains targeting state entities and drone communities.On Netinternet Bilisim Teknolojileri AS (Turkey) hosting, the IP 93.113.62[.]247 hosted on was identified in a phishing campaign impersonating generic "Cloud Storage" services to harvest payment details, using disposable domains and Google Cloud Storage for redirect pages.
Figure 15. Hunt.io IP intelligence for 93.113.62[.]247 hosted by Netinternet (Turkey), linked to a Cloud Storage impersonation phishing campaign.Active exploitation of CVE-2025-11953 (Metro4Shell) in React Native CLI was observed with source IP 5.109.182[.]231 on Saudi Arabia's Mobily network (AS35819), delivering Base64-encoded PowerShell scripts that added Microsoft Defender Antivirus exclusions before establishing TCP connections to download Rust-based binaries with anti-analysis checks.
Figure 16. Hunt.io IP intelligence for 5.109.182[.]231 hosted by Mobily (Saudi Arabia), linked to Metro4Shell RCE exploitation campaign.Another attack hosted on CLODO CLOUD SERVICE CO. L.L.C (UAE) was tied to infrastructure used in the DYNOWIPER destructive campaign targeting Poland's energy sector, attributed to ENERGETIC BEAR, where attackers deployed custom wiper malware, corrupting data at over 30 renewable facilities.
Figure 17. Hunt.io tracked DYNOWIPER strikes Poland's energy sector, a destructive malware campaign exploiting weak access controls to infiltrate critical infrastructure, wipe data across 30+ facilities, and expose the growing risks to SCADA/OT environments.Bitsight TRACE documented the RondoDox botnet leveraging exploitation server infrastructure at 37.32.15[.]8 on Iranian provider AbrArvan CDN and IaaS, active since May 2025 and peaked at 15,000 daily exploit attempts against internet-exposed devices. The Mirai-like botnet deployed 174 distinct exploits without writing initial implants to disk, executed shell scripts via unauthenticated RCEs, deployed DoS bots supporting 18 architectures, and dropped XMRig miner before connecting to hardcoded C2s.
Figure 18. Hunt.io IP intelligence for 37.32.15[.]8 hosted by AbrArvan CDN (Iran), linked to RondoDox botnet exploitation infrastructure.Sysdig researchers documented a November 2025 intrusion where attackers leveraged AI to compress an AWS attack chain to under 10 minutes, with activity originating from 197.51.170[.]131 on Egyptian ISP TE Data (AS8452). The attack chain included stolen credentials from public S3 RAG datasets, ReadOnlyAccess reconnaissance, Lambda function code injection via UpdateFunctionCode, privilege escalation to admin account "frick," persistence across 19 AWS principals, Amazon Bedrock LLMjacking, and deployment of p4d.24xlarge instance with public JupyterLab on port 8888.
Figure 19. Hunt.io IP intelligence for 197.51.170[.]131 hosted by TE Data (Egypt), linked to an AI-powered AWS intrusion campaign.In another attack, the researcher finds a macOS-focused Phexia campaign that uses ClickFix social-engineering techniques to trick users into running base64-encoded osascript droppers via Terminal. The campaign may be linked to Amatera botnet activity and is tentatively attributed to APT28. Similarly, the CyberProof researchers identified a new ClickFix variant that instructs users to run a rundll32 WebDAV command via Win+R, replacing prior PowerShell/mshta tactics.
Additionally, another research detailed a 10-stage campaign delivering the HellsUchecker backdoor via fake Cloudflare CAPTCHA (ClickFix) that tricks users into executing caret-obfuscated commands.
Figure 20. Hunt.io infrastructure tracking for HellsUchecker blockchain-backed backdoor campaign with EtherHiding C2 resolution.Deception.Pro observed a 12-day intrusion linked to Velvet Tempest that began with malvertising and ClickFix-style fake CAPTCHA instructing users to paste obfuscated commands into Windows Run. The chain leveraged LOLBins (finger.exe, curl.exe, tar.exe, csc.exe) to fetch masqueraded PDF archives and stage follow-on payloads. The tradecraft aligns with Termite ransomware operations, though no encryption event occurred during the observation window.
Figure 21. Hunt.io tracking of Velvet Tempest ClickFix campaign infrastructure linked to Termite ransomware operations.The researcher detailed a long-running FakeGit campaign by a Vietnamese-speaking operator distributing LuaJIT-based loaders via GitHub since March 2025 using cracked extensions, gaming cheats, and other lures, with 50+ rotating C2 endpoints largely hosted on SERV.HOST GROUP infrastructure.
Recorded Future's first public report on GrayCharlie, a threat actor overlapping with SmartApeSG, documented how the actor compromises WordPress sites to inject external JavaScript redirecting users to NetSupport RAT payloads.
Figure 22. Hunt.io IOC Hunter showing a brief summary of the GrayCharlie WordPress compromise campaign targeting U.S. law firms.Breakglass Intelligence reports the CLICKSMOKE MaaS platform remains active with its C2 panel hosted on DEDIK SERVICES LIMITED infrastructure, while previously exposed builds were rotated out. Another attack reported by Breakglass intelligence, mapped nine live Needle Malware-as-a-Service customer panels confirmed on April 22, 2026, showing consistent HTTP fingerprints and unique Vite bundles per panel, validating a multi-tenant operational model.
These examples demonstrate how Middle Eastern hosting providers support a diverse threat landscape, ranging from state-sponsored espionage and destructive operations to commodity malware, MaaS platforms, cryptomining, and advanced intrusion campaigns.
Infrastructure Observables
This research is based on a large set of infrastructure-level observables, including IP addresses, domains, and C2 endpoints that Hunt.io has identified and labeled as malicious infrastructure, active malware command-and-control, phishing infrastructure, or related abuse across Middle Eastern ISPs and hosting providers.
Given the scale of the dataset, with more than 1,350 active C2 endpoints observed over three months across 14 countries and 98 providers, publishing a static list here would provide limited operational value.
➔ Teams interested in accessing this data with proper context, attribution, and historical tracking can reach out to discuss research collaboration or operational access to the full dataset.
Conclusion
The data from this three-month window makes one thing clear: malicious infrastructure in the Middle East is not evenly distributed. Over 1,350 C2 servers across 98 providers, with a single telecom carrier accounting for nearly three quarters of all regional C2 activity, points to a threat landscape where concentration is the pattern, not the exception. Knowing which providers consistently appear in the data changes how defenders prioritize, block, and monitor.
A host-centric approach is what makes that possible. Instead of chasing individual indicators that rotate daily, teams can track the hosting environments, ASNs, and provider patterns that attackers keep coming back to. That's where the leverage is, and that's where this kind of analysis pays off.
Ready to see it in practice? Book a demo and explore how Host Radar and the Hunt.io platform can help your team track adversary infrastructure at scale, before it becomes an incident.
Threat intelligence that relies on disposable indicators locks defenders into a reactive loop of detection and evasion. Shifting focus to provider-level infrastructure disrupts that cycle by exposing the hosting providers, cloud platforms, and telecom networks that consistently underpin malicious activity, allowing defenders to anticipate adversary behavior instead of chasing it.
We've seen this play out repeatedly across the region. Iranian-nexus actors have been caught staging operations weeks before activation, botnet operators leaving entire relay networks exposed through misconfigured directories, and APT infrastructure sitting dormant on Iraqi hosting waiting to be activated. In each case, the infrastructure told the story before the attack did.
During the last three months (1 Feb 2026 - 1 May 2026) analysis window, we identified more than 1,350 active command-and-control (C2) servers operating across 98 Middle East infrastructure providers, spanning shared hosting platforms, virtual server providers, and telecommunications networks across 14 countries.
How We Analyzed Middle East Malicious Infrastructure
Host Radar, a core module of Hunt.io, was designed to address this gap by correlating C2 servers, phishing infrastructure, malicious open directories, and public IOCs back to the hosting providers and network operators that sustain them.
Using Host Radar, we analyzed telemetry associated with Middle Eastern infrastructure providers across the UAE, Saudi Arabia, Turkey, Israel, Iraq, Iran, Cyprus, Egypt, Kuwait, Lebanon, Palestine, Jordan, Bahrain, and Syria. The results reveal not only the scale of active C2 infrastructure, but also the dominance of specific malware families, and how frequently major telecommunications networks and hosting providers show up in the infrastructure tied to both commodity cybercrime and advanced threat operations.
This analysis surfaced clear patterns in how malicious infrastructure is distributed, reused, and concentrated across Middle Eastern hosting environments.
Before going deeper, these are the findings that shaped the entire analysis.
Key Observations
More than 1,350 C2 servers were identified across 98 Middle East infrastructure providers within the past 3 months.
C2 infrastructure dominates malicious activity (~96.8%), far exceeding phishing infrastructure (~0.5%) and publicly reported IOCs (~0.5%), while malicious open directories account for the remaining ~2.2% of observed artifacts.
Saudi Arabia's STC (Saudi Telecom Company) hosts 981 C2 servers, representing 72.4% of all detected C2 infrastructure in the region, the largest concentration observed across any single provider globally.
A small set of hosting providers accounts for a disproportionate share of malicious infrastructure, with STC, SERVERS TECH FZCO (UAE), OMC (Israel), Türk Telekom, and Regxa (Iraq) hosting the largest volumes of detected C2 servers.
IoT-focused botnets (Hajime, Mozi, and Mirai) combined with offensive frameworks (Tactical RMM, Cobalt Strike, Sliver) represent the dominant malware families operating across Middle Eastern infrastructure.
Middle Eastern hosting environments support diverse malicious operations, including state-sponsored espionage campaigns, MaaS (Malware-as-a-Service) platforms, cryptomining operations, and targeted intrusion activity.
The hosting layer is where that concentration becomes most visible, so that is where we start.
Top Middle East Infrastructure Providers
The Host Radar summary for the top five Middle Eastern infrastructure providers highlights the scale and diversity of malicious activity observed across these organizations over the last three months.
STC (Saudi Telecom Company), Saudi Arabia's leading telecommunications provider, exhibits the highest number of C2 servers among all analyzed Middle Eastern providers, with 981 detected over 90 days. This extraordinary concentration representing 72.4% of all regional C2 infrastructure suggests that STC's massive telecommunications network and customer base are being leveraged at scale for command-and-control operations, likely through compromised customer endpoints rather than provider-hosted infrastructure.
Figure 1. STC (Saudi Telecom Company) - Host Radar Detailed View: Per-provider Host Radar breakdown for STC, highlighting the unprecedented concentration of C2 activity across Saudi Arabia's largest telecommunications network.SERVERS TECH FZCO, a UAE-based technology solutions provider, shows significant malicious activity with 111 C2 servers observed over 90 days, alongside 4 malicious open directories, 1 IOC, 12 IOC Hunter posts, and 1 phishing site, with a medium bulletproof rating and cryptocurrency payment acceptance.
This pattern indicates that specialized hosting providers offering flexible payment options and moderate abuse response times are observed across infrastructure tied to diverse threat actor activity deploying both C2 infrastructure and staging environments.
Figure 2. TECH FZCO - Host Radar Detailed View: Host Radar metrics for SERVERS TECH FZCO illustrating elevated C2 infrastructure presence alongside malicious open directories and documented IOC references.OMC (O.M.C. Computers & Communications Ltd), an Israeli hosting and telecommunications provider, exhibits 62 C2 servers over 90 days, carrying a medium bulletproof rating.
The presence of C2 infrastructure without broader malicious artifacts suggests isolated infrastructure abuse rather than large-scale coordinated campaigns, though the medium bulletproof rating reflects a pattern of repeated abuse observed within this network.
Figure 3. OMC - Host Radar Detailed View: Detailed Host Radar metrics showing OMC's moderate C2 infrastructure concentration with limited associated malicious artifacts.Türk Telekom, Turkey's leading telecommunications provider, shows 44 C2 servers alongside 6 malicious open directories over 90 days, carrying a medium bulletproof rating.
The presence of both C2 infrastructure and exposed malicious directories indicates that compromised Turkish telecommunications infrastructure serves as both command-and-control endpoints and staging environments for malware distribution.
Figure 4. Türk Telekom - Host Radar Detailed View: Host Radar metrics for Türk Telekom reflecting C2 infrastructure alongside malicious open directories within Turkey's primary telecommunications network.Regxa Company for Information Technology Ltd, an Iraqi IT solutions provider, demonstrates 38 C2 servers, 1 malicious open directory, 1 IOC, and 1 IOC Hunter post over 90 days, while carrying a high bulletproof rating, the highest observed across all Middle Eastern providers in this dataset.
This combination of persistent C2 infrastructure, documented IOC references, and high bulletproof rating suggests deliberate tolerance for malicious activity or limited abuse response within this provider's network.
Figure 5. Regxa Company for Information Technology Ltd - Host Radar Detailed View: Host Radar summary for the Iraqi provider, highlighting C2 infrastructure with the highest bulletproof rating observed across all Middle Eastern providers.With the top Middle Eastern infrastructure hosting providers in mind, let's now focus on analyzing the C2 infrastructure across different ISPs and regions.
C2 Infrastructure Across Middle East ISPs
This section describes how Host Radar was used to detect and attribute C2 infrastructure and related malicious artifacts operating within Middle Eastern hosting environments over a three-month observation window.
After applying Middle East country filters (AE, BH, CY, EG, IL, IQ, IR, JO, KW, LB, PS, SA, SY, TR), the Host Radar summary view reveals 98 distinct infrastructure providers operating within Middle Eastern ISPs, hosting providers, and cloud ecosystems that were associated with malicious activity.
This broad distribution shows the diversity of the Middle East's hosting ecosystem, where malicious infrastructure is spread across telecommunications giants, specialized VPS providers, and cloud platforms rather than concentrated in only a few networks.
Figure 6. Host Radar summary view showing malicious infrastructure detected across 98 Middle Eastern ISPs and hosting providers over a three-month analysis window.Dataset Scope and Observed Infrastructure Landscape Over the Middle East
Across the full set of 98 Middle Eastern infrastructure providers, Host Radar recorded 1,459 malicious artifacts during the three-month observation period. This includes 1,357 C2 servers, 45 malicious open directories, 7 indicators of compromise (IOCs) referenced in public research, 43 IOC Hunter posts, and 7 phishing sites.
The data reveals that C2 infrastructure accounts for the largest share of observed malicious activity at 93.0% of all detected artifacts. Malicious open directories represent 3.1%, IOC Hunter posts 2.9%, phishing sites 0.5%, and publicly reported IOCs 0.5%.
This distribution suggests that Middle Eastern hosting environments are primarily leveraged for C2 operations, with significantly fewer cases of exposed artifacts or phishing infrastructure compared to other global infrastructure ecosystems.
Figure 7. Aggregate breakdown of C2 servers (1,357), phishing sites (7), malicious open directories (45), IOC Hunter posts (43), and public IOCs (7) detected within Middle Eastern hosting environments.Concentration of C2 Infrastructure Across Middle East Providers
STC (Saudi Telecom Company) emerges as the dominant contributor with 981 detected C2 servers, representing an unprecedented 72.4% concentration of C2 infrastructure in this regional dataset.
This is followed by SERVERS TECH FZCO (111 C2 detections), OMC (62 C2 detections), Türk Telekom (44 C2 detections), and Regxa Company for IT Ltd (38 C2 detections), demonstrating how both large telecommunications providers and specialized hosting companies support regional malicious infrastructure.
Other prominent providers include SERV.HOST GROUP LTD (Cyprus, 25), Hosting Dünyam (Turkey, 15), SUNUCUN BILGI (Turkey, 7), IHS Kurumsal Teknoloji (Turkey, 6), and Paltel (Palestine, 6).
The presence of telecommunications giants alongside cryptocurrency-accepting VPS providers within the top rankings illustrates how diverse infrastructure types, from consumer ISP networks to bulletproof hosting environments, can all be leveraged for malware C2 infrastructure deployment across the Middle East.
Figure 8. Top 10 Middle Eastern infrastructure providers by number of detected C2 servers over a three-month window, highlighting the extreme concentration within Saudi Telecom Company alongside diverse regional hosting providers.Malware Family Distribution Within Middle East Networks
Using HuntSQL, we analyzed the distribution of command-and-control (C2) infrastructure across malware families hosted within Middle Eastern networks over three months.
Example Query:
SELECT
malware.name,
uniq(ip) AS COUNTS
FROM
malware
WHERE
(asn.country_code='AE' OR asn.country_code='BH' OR asn.country_code='CY'
OR asn.country_code='EG' OR asn.country_code='IL' OR asn.country_code='IQ'
OR asn.country_code='IR' OR asn.country_code='JO' OR asn.country_code='KW'
OR asn.country_code='LB' OR asn.country_code='PS' OR asn.country_code='SA'
OR asn.country_code='SY' OR asn.country_code='TR')
AND timestamp > NOW - 3 MONTH
GROUP BY
malware.name
ORDER BY
COUNTS DESC
CopyOutput Example:
Figure 9. HuntSQL query output showing the dominant malware families hosting C2 infrastructure within Middle East networks over three months.The results reveal that Tactical RMM leads the dataset with 92 unique C2 IPs, representing the largest concentration of C2 infrastructure observed in Middle Eastern hosting environments, reflecting widespread abuse of this legitimate remote management tool for post-exploitation operations.
The second largest cluster, Keitaro (71 C2s), represents a traffic distribution system (TDS) infrastructure used in malvertising, phishing, and exploit kit campaigns, indicating coordinated campaigns leveraging regional advertising networks and compromised websites.
Acunetix (38 C2s) and Gophish (31 C2s) reflect active scanning and phishing infrastructure, while IoT-focused botnets Mozi (24 C2s) and Hajime (22 C2s) demonstrate continued exploitation of compromised embedded devices across the region.
Several offensive security frameworks and post-exploitation platforms also appear prominently in the dataset. These include Prism X (13), AsyncRAT (12), Sliver (10), Cobalt Strike (8), and Mirai (8), indicating that both commodity malware and sophisticated APT tooling leverage Middle Eastern infrastructure.
This concentration lets defenders focus on shared infrastructure patterns rather than chasing individual malware variants.
Figure 10. Bar graph illustrating the distribution of the Top 10 Malware Command-and-Control (C2) Families observed across Middle East infrastructure over the last three months.Infrastructure Providers Hosting the Widest Malware Diversity
A HuntSQL query was designed to surface organizations hosting the widest variety of malware activity within Middle Eastern networks over the last three months. The query aggregates telemetry by org.name and calculates the number of distinct C2 IPs attributed to an organization (Unique_C2) as well as Unique_Malware, which reflects the diversity of malware families observed within that infrastructure.
Example Query:
SELECT
org.name,
uniq(ip) AS Unique_C2,
uniq(malware.name) AS Unique_Malware
FROM
malware
WHERE
org.name != ""
AND (asn.country_code='AE' OR asn.country_code='BH' OR asn.country_code='CY'
OR asn.country_code='EG' OR asn.country_code='IL' OR asn.country_code='IQ'
OR asn.country_code='IR' OR asn.country_code='JO' OR asn.country_code='KW'
OR asn.country_code='LB' OR asn.country_code='PS' OR asn.country_code='SA'
OR asn.country_code='SY' OR asn.country_code='TR')
AND timestamp > NOW - 3 MONTH
GROUP BY
org.name
ORDER BY
Unique_Malware DESC
CopyOutput Example:
Figure 11. A HuntSQL query aggregating malware telemetry by a Middle East organization to identify providers hosting the widest variety of malware families.The results reveal that malware activity is concentrated within a relatively small set of hosting and telecommunications providers, many of which support large-scale virtual server and telecommunications environments.
Turk Telekomunikasyon Anonim Sirketi leads in malware diversity, hosting 6 distinct malware families across 9 unique C2 endpoints, demonstrating the highest malware-to-C2 ratio in the dataset and suggesting multiple unrelated threat operations leveraging Turkish telecommunications infrastructure.
HOSTING DUNYAM BILISIM TEKNOLOJILERI hosts 5 distinct malware families across 7 unique C2 endpoints, while O.M.C. COMPUTERS & COMMUNICATIONS LTD also hosts 5 distinct malware families across 8 unique C2 endpoints.
Other providers with notable malware diversity include BlueVPS OU (4 malware families), Private Customer (4), SUNUCUN BILGI (4), NTT DATA (3), Oracle Corporation (3), Microsoft Corporation (3), TE Data (3), and several others.
Figure 12. Malware Diversity vs. C2 Volume Across Middle East ISPs - Turkish Telekom leads in malware diversity per C2, while larger providers show concentrated single-family operations.That malware diversity maps directly to operational variety. IOC Hunter surfaced campaigns spanning ransomware delivery, state-sponsored espionage, MaaS platforms, and destructive attacks, all running on the same regional infrastructure.
Malicious Campaigns Observed Across Middle East Hosting Environments
The following examples illustrate how the infrastructure patterns identified above translate into active malware campaigns, state-sponsored espionage operations, MaaS platforms, and targeted intrusion campaigns within Middle Eastern hosting environments.
Over the observation period, Hunt.io tracking surfaced Phorpiex (Twizt) botnet C2 server at 94.252.245[.]193 hosted on Syrian Telecom infrastructure, operating a hybrid C2 architecture combining HTTP endpoints with a resilient peer-to-peer UDP layer on port 40,500. The campaign delivered encrypted high-entropy payloads, including XMRig miner, and has previously distributed LockBit Black ransomware.
Figure 13. Hunt.io IP intelligence "94.252.245[.]193" highlighting Syrian Telecom infrastructure hosting Phorpiex/Twizt C2 servers with a hybrid HTTP and P2P command-and-control architecture.Infrastructure hosted on Regxa Company for Information Technology Ltd (regxa.iq) was identified as hosting C2 associated with a February 2026 espionage campaign attributed to the Eagle Werewolf cluster, targeting state and industrial entities using Starlink registration and drone training lures. The multi-stage attack chain deployed EchoGather RAT via Telegram channels and phishing pages, Sliver implant via DLL side-loading through Fondue.exe, SoullessRAT via fake AlphaFly installer, and AquilaRAT (Rust backdoor) leveraging multiple rotating C2 domains.
Figure 14. Hunt.io IP intelligence for Regxa Iraq infrastructure hosting Eagle Werewolf APT C2 domains targeting state entities and drone communities.On Netinternet Bilisim Teknolojileri AS (Turkey) hosting, the IP 93.113.62[.]247 hosted on was identified in a phishing campaign impersonating generic "Cloud Storage" services to harvest payment details, using disposable domains and Google Cloud Storage for redirect pages.
Figure 15. Hunt.io IP intelligence for 93.113.62[.]247 hosted by Netinternet (Turkey), linked to a Cloud Storage impersonation phishing campaign.Active exploitation of CVE-2025-11953 (Metro4Shell) in React Native CLI was observed with source IP 5.109.182[.]231 on Saudi Arabia's Mobily network (AS35819), delivering Base64-encoded PowerShell scripts that added Microsoft Defender Antivirus exclusions before establishing TCP connections to download Rust-based binaries with anti-analysis checks.
Figure 16. Hunt.io IP intelligence for 5.109.182[.]231 hosted by Mobily (Saudi Arabia), linked to Metro4Shell RCE exploitation campaign.Another attack hosted on CLODO CLOUD SERVICE CO. L.L.C (UAE) was tied to infrastructure used in the DYNOWIPER destructive campaign targeting Poland's energy sector, attributed to ENERGETIC BEAR, where attackers deployed custom wiper malware, corrupting data at over 30 renewable facilities.
Figure 17. Hunt.io tracked DYNOWIPER strikes Poland's energy sector, a destructive malware campaign exploiting weak access controls to infiltrate critical infrastructure, wipe data across 30+ facilities, and expose the growing risks to SCADA/OT environments.Bitsight TRACE documented the RondoDox botnet leveraging exploitation server infrastructure at 37.32.15[.]8 on Iranian provider AbrArvan CDN and IaaS, active since May 2025 and peaked at 15,000 daily exploit attempts against internet-exposed devices. The Mirai-like botnet deployed 174 distinct exploits without writing initial implants to disk, executed shell scripts via unauthenticated RCEs, deployed DoS bots supporting 18 architectures, and dropped XMRig miner before connecting to hardcoded C2s.
Figure 18. Hunt.io IP intelligence for 37.32.15[.]8 hosted by AbrArvan CDN (Iran), linked to RondoDox botnet exploitation infrastructure.Sysdig researchers documented a November 2025 intrusion where attackers leveraged AI to compress an AWS attack chain to under 10 minutes, with activity originating from 197.51.170[.]131 on Egyptian ISP TE Data (AS8452). The attack chain included stolen credentials from public S3 RAG datasets, ReadOnlyAccess reconnaissance, Lambda function code injection via UpdateFunctionCode, privilege escalation to admin account "frick," persistence across 19 AWS principals, Amazon Bedrock LLMjacking, and deployment of p4d.24xlarge instance with public JupyterLab on port 8888.
Figure 19. Hunt.io IP intelligence for 197.51.170[.]131 hosted by TE Data (Egypt), linked to an AI-powered AWS intrusion campaign.In another attack, the researcher finds a macOS-focused Phexia campaign that uses ClickFix social-engineering techniques to trick users into running base64-encoded osascript droppers via Terminal. The campaign may be linked to Amatera botnet activity and is tentatively attributed to APT28. Similarly, the CyberProof researchers identified a new ClickFix variant that instructs users to run a rundll32 WebDAV command via Win+R, replacing prior PowerShell/mshta tactics.
Additionally, another research detailed a 10-stage campaign delivering the HellsUchecker backdoor via fake Cloudflare CAPTCHA (ClickFix) that tricks users into executing caret-obfuscated commands.
Figure 20. Hunt.io infrastructure tracking for HellsUchecker blockchain-backed backdoor campaign with EtherHiding C2 resolution.Deception.Pro observed a 12-day intrusion linked to Velvet Tempest that began with malvertising and ClickFix-style fake CAPTCHA instructing users to paste obfuscated commands into Windows Run. The chain leveraged LOLBins (finger.exe, curl.exe, tar.exe, csc.exe) to fetch masqueraded PDF archives and stage follow-on payloads. The tradecraft aligns with Termite ransomware operations, though no encryption event occurred during the observation window.
Figure 21. Hunt.io tracking of Velvet Tempest ClickFix campaign infrastructure linked to Termite ransomware operations.The researcher detailed a long-running FakeGit campaign by a Vietnamese-speaking operator distributing LuaJIT-based loaders via GitHub since March 2025 using cracked extensions, gaming cheats, and other lures, with 50+ rotating C2 endpoints largely hosted on SERV.HOST GROUP infrastructure.
Recorded Future's first public report on GrayCharlie, a threat actor overlapping with SmartApeSG, documented how the actor compromises WordPress sites to inject external JavaScript redirecting users to NetSupport RAT payloads.
Figure 22. Hunt.io IOC Hunter showing a brief summary of the GrayCharlie WordPress compromise campaign targeting U.S. law firms.Breakglass Intelligence reports the CLICKSMOKE MaaS platform remains active with its C2 panel hosted on DEDIK SERVICES LIMITED infrastructure, while previously exposed builds were rotated out. Another attack reported by Breakglass intelligence, mapped nine live Needle Malware-as-a-Service customer panels confirmed on April 22, 2026, showing consistent HTTP fingerprints and unique Vite bundles per panel, validating a multi-tenant operational model.
These examples demonstrate how Middle Eastern hosting providers support a diverse threat landscape, ranging from state-sponsored espionage and destructive operations to commodity malware, MaaS platforms, cryptomining, and advanced intrusion campaigns.
Infrastructure Observables
This research is based on a large set of infrastructure-level observables, including IP addresses, domains, and C2 endpoints that Hunt.io has identified and labeled as malicious infrastructure, active malware command-and-control, phishing infrastructure, or related abuse across Middle Eastern ISPs and hosting providers.
Given the scale of the dataset, with more than 1,350 active C2 endpoints observed over three months across 14 countries and 98 providers, publishing a static list here would provide limited operational value.
➔ Teams interested in accessing this data with proper context, attribution, and historical tracking can reach out to discuss research collaboration or operational access to the full dataset.
Conclusion
The data from this three-month window makes one thing clear: malicious infrastructure in the Middle East is not evenly distributed. Over 1,350 C2 servers across 98 providers, with a single telecom carrier accounting for nearly three quarters of all regional C2 activity, points to a threat landscape where concentration is the pattern, not the exception. Knowing which providers consistently appear in the data changes how defenders prioritize, block, and monitor.
A host-centric approach is what makes that possible. Instead of chasing individual indicators that rotate daily, teams can track the hosting environments, ASNs, and provider patterns that attackers keep coming back to. That's where the leverage is, and that's where this kind of analysis pays off.
Ready to see it in practice? Book a demo and explore how Host Radar and the Hunt.io platform can help your team track adversary infrastructure at scale, before it becomes an incident.
Related Posts
Related Posts
Related Posts
