To embed a website or widget, add it to the properties panel.

Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers

Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers

Published on

Inside Eastern Europe's C2 Sprawl: 3,900+ Servers, 302 Providers, One Host Doing Half the Work

Originally Published on May 21, 2026
Updated: July 2, 2026

Before you read this report

Many of the detections here are Threat Activity Enablers, tools like Tactical RMM, Keitaro, Gophish, Acunetix, Cobalt Strike and Sliver. Each one has legitimate, unwanted, and malicious use cases, and the balance between those depends on the tool, the environment, and the context it turns up in.

So read the counts as what they are. A detection means the software was fingerprinted on a host that answered at scan time. That is the presence of the tool, not proof of malicious use. Some of these hosts run it for normal reasons, and a fingerprint on its own cannot tell us how many.

Software that is fine in one environment can be unwanted or out of compliance in another, which makes it a risk there. The call on how to handle that risk belongs to the end user. Where we had more to go on, like the domains a host resolves, certificate or SSH overlaps, or activity already reported against the IP, we say so.


Threat intelligence that relies on disposable indicators locks defenders into a reactive loop of detection and evasion. Shifting focus to provider-level infrastructure breaks that cycle. It surfaces the hosting providers, cloud platforms, and telecom networks where potential malicious infrastructure keeps turning up, so defenders can get ahead of adversary behavior instead of chasing it.

We've seen this play out repeatedly across the region. Iranian-nexus actors have been caught staging operations weeks before activation, botnet operators leaving entire relay networks exposed through misconfigured directories, and APT infrastructure sitting dormant on Iraqi hosting waiting to be activated. In each case, the infrastructure told the story before the attack did.

During the last three months (1 Feb 2026 - 1 May 2026) analysis window, we identified more than 1,350 active command-and-control (C2) servers operating across 98 Middle East infrastructure providers, spanning shared hosting platforms, virtual server providers, and telecommunications networks across 14 countries.

How We Analyzed Middle East Malicious Infrastructure

Host Radar, a core module of Hunt.io, was designed to address this gap by correlating C2 servers, phishing infrastructure, malicious open directories, and public IOCs back to the hosting providers and network operators that sustain them.

Using Host Radar, we analyzed telemetry associated with Middle Eastern infrastructure providers across the UAE, Saudi Arabia, Turkey, Israel, Iraq, Iran, Cyprus, Egypt, Kuwait, Lebanon, Palestine, Jordan, Bahrain, and Syria. The results reveal not only the scale of active C2 infrastructure, but also the dominance of specific malware families, and how frequently major telecommunications networks and hosting providers show up in the infrastructure tied to both commodity cybercrime and advanced threat operations.

This analysis surfaced clear patterns in how malicious infrastructure is distributed, reused, and concentrated across Middle Eastern hosting environments.

Before going deeper, these are the findings that shaped the entire analysis.

Key Observations

  • More than 1,350 C2 servers were identified across 98 Middle East infrastructure providers within the past 3 months.

  • C2 detections make up most of what we found, around 93% of all artifacts, well ahead of malicious open directories (3.1%), IOC Hunter posts (2.9%), phishing sites (0.5%), and publicly reported IOCs (0.5%).

  • A small set of hosting providers accounts for a disproportionate share of potential malicious infrastructure, with STC, SERVERS TECH FZCO (UAE), OMC (Israel), Türk Telekom, and Regxa (Iraq) hosting the largest volumes of detected C2 servers.

  • The most common detections fall into two groups: IoT botnets like Hajime, Mozi, and Mirai, which are malware, and Threat Activity Enablers like Tactical RMM, Cobalt Strike, and Sliver, which are dual-use tools that show up here when abused.

  • The detections span a wide range of operations, from state-sponsored espionage and MaaS (Malware-as-a-Service) platforms to cryptomining and targeted intrusions.

The hosting layer is where that concentration becomes most visible, so that is where we start.

Top Middle East Infrastructure Providers

The Host Radar summary for the top five Middle Eastern infrastructure providers highlights the scale and diversity of detected activity observed across these organizations over the last three months.

STC (Saudi Telecom Company), Saudi Arabia's leading telecommunications provider, shows the highest number detections among all analyzed Middle Eastern networks, with 981 over 90 days. That volume, 72.4% of the regional total, is most consistent with compromised customer endpoints across STC's very large subscriber base. STC is a national carrier, and the count tracks the size of its consumer and business network more than any choice on the provider's part.

Figure 1Figure 1. STC (Saudi Telecom Company) - Host Radar Detailed View: Per-provider Host Radar breakdown for STC, highlighting a big concentration of detections across Saudi Arabia's largest telecommunications network.

SERVERS TECH FZCO, a UAE-based technology solutions provider, shows 111 detections over 90 days, alongside 4 malicious open directories, 1 IOC, 12 IOC Hunter posts, and 1 phishing site. Host Radar assigns the network a medium abuse-response score, and the provider accepts cryptocurrency payment.

Figure 2Figure 2. TECH FZCO - Host Radar Detailed View: Host Radar metrics for SERVERS TECH FZCO.

OMC (O.M.C. Computers & Communications Ltd), an Israeli hosting and telecommunications provider, shows 62 C2 detections over 90 days, with a medium abuse-response score in Host Radar.

The presence of C2 infrastructure without broader malicious artifacts suggests isolated infrastructure abuse rather than large-scale coordinated campaigns, though the score reflects repeated abuse seen within the network over time.

Figure 3Figure 3. OMC - Host Radar Detailed View: Detailed Host Radar metrics showing OMC's moderate C2 infrastructure concentration with limited associated malicious artifacts.

Türk Telekom, Turkey's leading telecommunications provider, shows 44 C2 servers alongside 6 malicious open directories over 90 days, carrying a medium bulletproof rating.

The presence of both C2 infrastructure and exposed malicious directories indicates that compromised Turkish telecommunications infrastructure serves as both command-and-control endpoints and staging environments for malware distribution.

Figure 4Figure 4. Türk Telekom - Host Radar Detailed View: Host Radar metrics for Türk Telekom reflecting C2 infrastructure alongside malicious open directories within Turkey's primary telecommunications network.

Regxa Company for Information Technology Ltd, an Iraqi IT solutions provider, shows 38 C2 detections, 1 malicious open directory, 1 IOC, and 1 IOC Hunter post over 90 days. Host Radar assigns it the highest abuse-response score in this dataset, which reflects how often abuse in its ranges goes unremediated.

That score reflects slow or limited abuse response over the window we looked at. It is not a finding that the provider knowingly permits criminal activity, and we are not making that claim.

Figure 5Figure 5. Regxa Company for Information Technology Ltd - Host Radar Detailed View: Host Radar summary for the Iraqi provider, highlighting C2 detections with the highest abuse-response score in this dataset.

With the top Middle Eastern infrastructure hosting providers in mind, let's now focus on analyzing the C2 infrastructure across different ISPs and regions.

Potential C2 Detections Across Middle East ISPs

This section describes how Host Radar was used to detect and attribute C2 infrastructure and related malicious artifacts operating within Middle Eastern hosting environments over a three-month observation window.

After applying Middle East country filters (AE, BH, CY, EG, IL, IQ, IR, JO, KW, LB, PS, SA, SY, TR), the Host Radar summary view reveals 98 distinct infrastructure providers operating within Middle Eastern ISPs, hosting providers, and cloud ecosystems that were associated with malicious activity.

This broad distribution shows the diversity of the Middle East's hosting ecosystem, where malicious infrastructure is spread across telecommunications giants, specialized VPS providers, and cloud platforms rather than concentrated in only a few networks.

Figure 6Figure 6. Host Radar summary view showing malicious infrastructure detected across 98 Middle Eastern ISPs and hosting providers over a three-month analysis window.

Dataset Scope and Observed Infrastructure Landscape Over the Middle East

Across the full set of 98 Middle Eastern infrastructure providers, Host Radar recorded 1,459 malicious artifacts during the three-month observation period. This includes 1,357 C2 servers, 45 malicious open directories, 7 indicators of compromise (IOCs) referenced in public research, 43 IOC Hunter posts, and 7 phishing sites.

The data reveals that C2 infrastructure accounts for the largest share of observed malicious activity at 93.0% of all detected artifacts. Malicious open directories represent 3.1%, IOC Hunter posts 2.9%, phishing sites 0.5%, and publicly reported IOCs 0.5%.

This distribution suggests that Middle Eastern hosting environments are primarily leveraged for C2 operations, with significantly fewer cases of exposed artifacts or phishing infrastructure compared to other global infrastructure ecosystems.

Figure 7Figure 7. Aggregate breakdown of C2 servers (1,357), phishing sites (7), malicious open directories (45), IOC Hunter posts (43), and public IOCs (7) detected within Middle Eastern hosting environments.

Concentration of Potential C2 Infrastructure Across Middle East Providers

STC (Saudi Telecom Company) emerges as the dominant contributor with 981 detections, representing an unprecedented 72.4% of this regional dataset.

This is followed by SERVERS TECH FZCO (111 C2 detections), OMC (62 C2 detections), Türk Telekom (44 C2 detections), and Regxa Company for IT Ltd (38 C2 detections), showing that both large telecommunications providers and specialized hosting companies appear in the regional detections.

Other prominent providers include SERV.HOST GROUP LTD (Cyprus, 25), Hosting Dünyam (Turkey, 15), SUNUCUN BILGI (Turkey, 7), IHS Kurumsal Teknoloji (Turkey, 6), and Paltel (Palestine, 6).

The mix of large telecoms and smaller VPS providers in the top rankings shows how varied the networks are abused by potential threat actors, from consumer ISP space where endpoints get compromised to smaller networks where abuse lingers longer.

Malware Family Distribution Within Middle East Networks

Using HuntSQL, we analyzed the distribution of command-and-control (C2) infrastructure across malware families hosted within Middle Eastern networks over three months.

Example Query:

SELECT
  malware.name,
  uniq(ip) AS COUNTS
FROM
  malware
WHERE
  (asn.country_code='AE' OR asn.country_code='BH' OR asn.country_code='CY' 
  OR asn.country_code='EG' OR asn.country_code='IL' OR asn.country_code='IQ' 
  OR asn.country_code='IR' OR asn.country_code='JO' OR asn.country_code='KW' 
  OR asn.country_code='LB' OR asn.country_code='PS' OR asn.country_code='SA' 
  OR asn.country_code='SY' OR asn.country_code='TR')
  AND timestamp > NOW - 3 MONTH
GROUP BY
  malware.name
ORDER BY
  COUNTS DESC

                
Copy

Output Example:

Figure 8Figure 8. HuntSQL query output showing the dominant malware families hosting C2 infrastructure within Middle East networks over three months.

The results reveal that Tactical RMM leads the dataset with 92 unique detections, representing the largest concentration of C2 infrastructure observed in Middle Eastern hosting environments, reflecting widespread abuse of this legitimate remote management tool for post-exploitation operations.

The second largest cluster, Keitaro (71 C2s), represents a traffic distribution system (TDS) infrastructure, often exploited by threat actors, for malvertising, phishing, and exploit kit campaigns, indicating coordinated campaigns leveraging regional advertising networks and compromised websites.

Acunetix (38 C2s) and Gophish (31 C2s) reflect active scanning and phishing infrastructure, while IoT-focused botnets Mozi (24 C2s) and Hajime (22 C2s) demonstrate continued exploitation of compromised embedded devices across the region.

Several offensive security frameworks and post-exploitation platforms also appear prominently in the dataset. These include Prism X (13), AsyncRAT (12), Sliver (10), Cobalt Strike (8), and Mirai (8), indicating that both commodity malware and sophisticated APT tooling leverage Middle Eastern infrastructure.

This concentration lets defenders focus on shared infrastructure patterns rather than chasing individual malware variants.

Figure 9Figure 9. Bar graph illustrating the distribution of the Top 10 Malware Command-and-Control (C2) Families observed across Middle East infrastructure over the last three months.

Infrastructure Providers Hosting the Widest Malware Diversity

A HuntSQL query was designed to surface organizations hosting the widest variety of malware activity within Middle Eastern networks over the last three months. The query aggregates telemetry by org.name and calculates the number of distinct C2 IPs attributed to an organization (Unique_C2) as well as Unique_Malware, which reflects the diversity of malware families observed within that infrastructure.

Example Query:

SELECT
  org.name,
  uniq(ip) AS Unique_C2,
  uniq(malware.name) AS Unique_Malware
FROM
  malware
WHERE
  org.name != ""
  AND (asn.country_code='AE' OR asn.country_code='BH' OR asn.country_code='CY' 
  OR asn.country_code='EG' OR asn.country_code='IL' OR asn.country_code='IQ' 
  OR asn.country_code='IR' OR asn.country_code='JO' OR asn.country_code='KW' 
  OR asn.country_code='LB' OR asn.country_code='PS' OR asn.country_code='SA' 
  OR asn.country_code='SY' OR asn.country_code='TR')
  AND timestamp > NOW - 3 MONTH
GROUP BY
  org.name
ORDER BY
  Unique_Malware DESC

                
Copy

Output Example:

Figure 10Figure 10. A HuntSQL query aggregating malware telemetry by a Middle East organization to identify providers hosting the widest variety of malware families.

The results show the malware families clustering inside a few of the largest hosting and telecom networks. That tracks with network size more than anything else. More customer endpoints means more hosts an attacker can compromise, so the biggest providers surface most of the spread.

Turk Telekomunikasyon Anonim Sirketi shows 6 distinct malware families across 9 unique endpoints, the highest malware-to-C2 ratio in the dataset. On a carrier that large, that points to a scatter of unrelated compromised hosts rather than a single campaign.

HOSTING DUNYAM BILISIM TEKNOLOJILERI shows 5 distinct malware families across 7 unique endpoints, and O.M.C. COMPUTERS & COMMUNICATIONS LTD shows 5 across 8.

Other providers with notable malware diversity include BlueVPS OU (4 malware families), Private Customer (4), SUNUCUN BILGI (4), NTT DATA (3), Oracle Corporation (3), Microsoft Corporation (3), TE Data (3), and several others.

For the large cloud platforms in this list, like NTT DATA, Oracle, and Microsoft, the detections sit in customer-provisioned instances. The tooling runs in a tenant's space, not on infrastructure the platform operates, and the numbers should be read that way.

That malware diversity maps directly to operational variety. IOC Hunter surfaced campaigns spanning ransomware delivery, state-sponsored espionage, MaaS platforms, and destructive attacks, all running on the same regional infrastructure.

Potential Malicious Campaigns Observed Across Middle East Hosting Environments

The following examples illustrate how the infrastructure patterns identified above translate into active malware campaigns, state-sponsored espionage operations, MaaS platforms, and targeted intrusion campaigns within Middle Eastern hosting environments.

Over the observation period, Hunt.io tracking surfaced Phorpiex (Twizt) botnet C2 server at 94.252.245[.]193 hosted on Syrian Telecom infrastructure, operating a hybrid C2 architecture combining HTTP endpoints with a resilient peer-to-peer UDP layer on port 40,500. The campaign delivered encrypted high-entropy payloads, including XMRig miner, and has previously distributed LockBit Black ransomware.

Figure 11Figure 11. Hunt.io IP intelligence "94.252.245[.]193" highlighting Syrian Telecom infrastructure hosting Phorpiex/Twizt C2 servers with a hybrid HTTP and P2P command-and-control architecture.

Infrastructure observed on Regxa Company for Information Technology Ltd (regxa.iq) was linked to C2 for a February 2026 espionage campaign attributed to the Eagle Werewolf cluster, targeting state and industrial entities using Starlink registration and drone training lures. The multi-stage attack chain deployed EchoGather RAT via Telegram channels and phishing pages, Sliver implant via DLL side-loading through Fondue.exe, SoullessRAT via fake AlphaFly installer, and AquilaRAT (Rust backdoor) leveraging multiple rotating C2 domains.

Figure 12Figure 12. Hunt.io IP intelligence for Regxa Iraq infrastructure hosting Eagle Werewolf APT C2 domains targeting state entities and drone communities.

On Netinternet Bilisim Teknolojileri AS (Turkey), the IP 93.113.62[.]247 was observed in a phishing campaign impersonating generic "Cloud Storage" services to harvest payment details, using disposable domains and Google Cloud Storage for redirect pages.

Figure 13Figure 13. Hunt.io IP intelligence for 93.113.62[.]247 hosted by Netinternet (Turkey), linked to a Cloud Storage impersonation phishing campaign.

Active exploitation of CVE-2025-11953 (Metro4Shell) in React Native CLI was observed with source IP 5.109.182[.]231 on Saudi Arabia's Mobily network (AS35819), delivering Base64-encoded PowerShell scripts that added Microsoft Defender Antivirus exclusions before establishing TCP connections to download Rust-based binaries with anti-analysis checks.

Figure 14Figure 14. Hunt.io IP intelligence for 5.109.182[.]231 hosted by Mobily (Saudi Arabia), linked to Metro4Shell RCE exploitation campaign.

Infrastructure observed on CLODO CLOUD SERVICE CO. L.L.C (UAE) was linked to the DYNOWIPER destructive campaign targeting Poland's energy sector. Per CERT Polska and ESET, the wiper was blocked before causing damage: more than 30 wind and solar sites were targeted, but there was no successful data destruction or outage. Attribution is not settled, CERT Polska points to Static Tundra (an Energetic Bear alias), while ESET and Dragos attribute the activity to Sandworm with moderate confidence.

Figure 15Figure 15. Hunt.io tracked DYNOWIPER strikes Poland's energy sector, a destructive malware campaign exploiting weak access controls to infiltrate critical infrastructure, wipe data across 30+ facilities, and expose the growing risks to SCADA/OT environments.

Bitsight TRACE documented the RondoDox botnet leveraging exploitation server infrastructure at 37.32.15[.]8 on Iranian provider AbrArvan CDN and IaaS, active since May 2025 and peaked at 15,000 daily exploit attempts against internet-exposed devices. The Mirai-like botnet deployed 174 distinct exploits without writing initial implants to disk, executed shell scripts via unauthenticated RCEs, deployed DoS bots supporting 18 architectures, and dropped XMRig miner before connecting to hardcoded C2s.

Figure 16Figure 16. Hunt.io IP intelligence for 37.32.15[.]8 hosted by AbrArvan CDN (Iran), linked to RondoDox botnet exploitation infrastructure.

Sysdig researchers documented a November 2025 intrusion where attackers leveraged AI to compress an AWS attack chain to under 10 minutes, with activity originating from 197.51.170[.]131 on Egyptian ISP TE Data (AS8452). The attack chain included stolen credentials from public S3 RAG datasets, ReadOnlyAccess reconnaissance, Lambda function code injection via UpdateFunctionCode, privilege escalation to admin account "frick," persistence across 19 AWS principals, Amazon Bedrock LLMjacking, and deployment of p4d.24xlarge instance with public JupyterLab on port 8888.

Figure 17Figure 17. Hunt.io IP intelligence for 197.51.170[.]131 hosted by TE Data (Egypt), linked to an AI-powered AWS intrusion campaign.

In another attack, the researcher finds a macOS-focused Phexia campaign that uses ClickFix social-engineering techniques to trick users into running base64-encoded osascript droppers via Terminal. The campaign may be linked to Amatera botnet activity and is tentatively attributed to APT28. Similarly, the CyberProof researchers identified a new ClickFix variant that instructs users to run a rundll32 WebDAV command via Win+R, replacing prior PowerShell/mshta tactics.

Additionally, another research detailed a 10-stage campaign delivering the HellsUchecker backdoor via fake Cloudflare CAPTCHA (ClickFix) that tricks users into executing caret-obfuscated commands.

Figure 18Figure 18. Hunt.io infrastructure tracking for HellsUchecker blockchain-backed backdoor campaign with EtherHiding C2 resolution.

Deception.Pro observed a 12-day intrusion linked to Velvet Tempest that began with malvertising and ClickFix-style fake CAPTCHA instructing users to paste obfuscated commands into Windows Run. The chain leveraged LOLBins (finger.exe, curl.exe, tar.exe, csc.exe) to fetch masqueraded PDF archives and stage follow-on payloads. The tradecraft aligns with Termite ransomware operations, though no encryption event occurred during the observation window.

Figure 19Figure 19. Hunt.io tracking of Velvet Tempest ClickFix campaign infrastructure linked to Termite ransomware operations.

The researcher detailed a long-running FakeGit campaign by a Vietnamese-speaking operator distributing LuaJIT-based loaders via GitHub since March 2025 using cracked extensions, gaming cheats, and other lures, with 50+ rotating C2 endpoints largely hosted on SERV.HOST GROUP infrastructure.

Recorded Future's first public report on GrayCharlie, a threat actor overlapping with SmartApeSG, documented how the actor compromises WordPress sites to inject external JavaScript redirecting users to NetSupport RAT payloads.

Figure 20Figure 20. Hunt.io IOC Hunter showing a brief summary of the GrayCharlie WordPress compromise campaign targeting U.S. law firms.

Breakglass Intelligence reports the CLICKSMOKE MaaS platform remains active with its C2 panel hosted on DEDIK SERVICES LIMITED infrastructure, while previously exposed builds were rotated out. Another attack reported by Breakglass intelligence, mapped nine live Needle Malware-as-a-Service customer panels confirmed on April 22, 2026, showing consistent HTTP fingerprints and unique Vite bundles per panel, validating a multi-tenant operational model.

These examples demonstrate how Middle Eastern hosting providers support a diverse threat landscape, ranging from state-sponsored espionage and destructive operations to commodity malware, MaaS platforms, cryptomining, and advanced intrusion campaigns.

Infrastructure Observables

This research draws on a large set of infrastructure-level observables: IP addresses, domains, and endpoints across Middle Eastern ISPs and hosting providers. Some are confirmed malicious through corroborating evidence. Others are detections where a tool tied to threat activity was fingerprinted on a reachable host, which is a lead rather than a verdict, as noted at the top.

Given the scale of the dataset, with more than 1,350 active C2 endpoints observed over three months across 14 countries and 98 providers, publishing a static list here would provide limited operational value.

Teams interested in accessing this data with proper context, attribution, and historical tracking can reach out to discuss research collaboration or operational access to the full dataset.

Conclusion

The three-month window shows that malicious infrastructure in the Middle East is not spread evenly. More than 1,350 C2 detections across 98 providers tells you concentration is the pattern, not the exception. Knowing which networks attackers keep landing in changes how defenders prioritize, block, and monitor.

A host-centric approach is what makes that possible. Instead of chasing individual indicators that rotate daily, teams can track the hosting environments, ASNs, and provider patterns that attackers keep coming back to. That's where the leverage is, and that's where this kind of analysis pays off.

Ready to see it in practice? Book a demo and explore how Host Radar and the Hunt.io platform can help your team track adversary infrastructure at scale, before it becomes an incident.

Originally Published on May 21, 2026
Updated: July 2, 2026

Before you read this report

Many of the detections here are Threat Activity Enablers, tools like Tactical RMM, Keitaro, Gophish, Acunetix, Cobalt Strike and Sliver. Each one has legitimate, unwanted, and malicious use cases, and the balance between those depends on the tool, the environment, and the context it turns up in.

So read the counts as what they are. A detection means the software was fingerprinted on a host that answered at scan time. That is the presence of the tool, not proof of malicious use. Some of these hosts run it for normal reasons, and a fingerprint on its own cannot tell us how many.

Software that is fine in one environment can be unwanted or out of compliance in another, which makes it a risk there. The call on how to handle that risk belongs to the end user. Where we had more to go on, like the domains a host resolves, certificate or SSH overlaps, or activity already reported against the IP, we say so.


Threat intelligence that relies on disposable indicators locks defenders into a reactive loop of detection and evasion. Shifting focus to provider-level infrastructure breaks that cycle. It surfaces the hosting providers, cloud platforms, and telecom networks where potential malicious infrastructure keeps turning up, so defenders can get ahead of adversary behavior instead of chasing it.

We've seen this play out repeatedly across the region. Iranian-nexus actors have been caught staging operations weeks before activation, botnet operators leaving entire relay networks exposed through misconfigured directories, and APT infrastructure sitting dormant on Iraqi hosting waiting to be activated. In each case, the infrastructure told the story before the attack did.

During the last three months (1 Feb 2026 - 1 May 2026) analysis window, we identified more than 1,350 active command-and-control (C2) servers operating across 98 Middle East infrastructure providers, spanning shared hosting platforms, virtual server providers, and telecommunications networks across 14 countries.

How We Analyzed Middle East Malicious Infrastructure

Host Radar, a core module of Hunt.io, was designed to address this gap by correlating C2 servers, phishing infrastructure, malicious open directories, and public IOCs back to the hosting providers and network operators that sustain them.

Using Host Radar, we analyzed telemetry associated with Middle Eastern infrastructure providers across the UAE, Saudi Arabia, Turkey, Israel, Iraq, Iran, Cyprus, Egypt, Kuwait, Lebanon, Palestine, Jordan, Bahrain, and Syria. The results reveal not only the scale of active C2 infrastructure, but also the dominance of specific malware families, and how frequently major telecommunications networks and hosting providers show up in the infrastructure tied to both commodity cybercrime and advanced threat operations.

This analysis surfaced clear patterns in how malicious infrastructure is distributed, reused, and concentrated across Middle Eastern hosting environments.

Before going deeper, these are the findings that shaped the entire analysis.

Key Observations

  • More than 1,350 C2 servers were identified across 98 Middle East infrastructure providers within the past 3 months.

  • C2 detections make up most of what we found, around 93% of all artifacts, well ahead of malicious open directories (3.1%), IOC Hunter posts (2.9%), phishing sites (0.5%), and publicly reported IOCs (0.5%).

  • A small set of hosting providers accounts for a disproportionate share of potential malicious infrastructure, with STC, SERVERS TECH FZCO (UAE), OMC (Israel), Türk Telekom, and Regxa (Iraq) hosting the largest volumes of detected C2 servers.

  • The most common detections fall into two groups: IoT botnets like Hajime, Mozi, and Mirai, which are malware, and Threat Activity Enablers like Tactical RMM, Cobalt Strike, and Sliver, which are dual-use tools that show up here when abused.

  • The detections span a wide range of operations, from state-sponsored espionage and MaaS (Malware-as-a-Service) platforms to cryptomining and targeted intrusions.

The hosting layer is where that concentration becomes most visible, so that is where we start.

Top Middle East Infrastructure Providers

The Host Radar summary for the top five Middle Eastern infrastructure providers highlights the scale and diversity of detected activity observed across these organizations over the last three months.

STC (Saudi Telecom Company), Saudi Arabia's leading telecommunications provider, shows the highest number detections among all analyzed Middle Eastern networks, with 981 over 90 days. That volume, 72.4% of the regional total, is most consistent with compromised customer endpoints across STC's very large subscriber base. STC is a national carrier, and the count tracks the size of its consumer and business network more than any choice on the provider's part.

Figure 1Figure 1. STC (Saudi Telecom Company) - Host Radar Detailed View: Per-provider Host Radar breakdown for STC, highlighting a big concentration of detections across Saudi Arabia's largest telecommunications network.

SERVERS TECH FZCO, a UAE-based technology solutions provider, shows 111 detections over 90 days, alongside 4 malicious open directories, 1 IOC, 12 IOC Hunter posts, and 1 phishing site. Host Radar assigns the network a medium abuse-response score, and the provider accepts cryptocurrency payment.

Figure 2Figure 2. TECH FZCO - Host Radar Detailed View: Host Radar metrics for SERVERS TECH FZCO.

OMC (O.M.C. Computers & Communications Ltd), an Israeli hosting and telecommunications provider, shows 62 C2 detections over 90 days, with a medium abuse-response score in Host Radar.

The presence of C2 infrastructure without broader malicious artifacts suggests isolated infrastructure abuse rather than large-scale coordinated campaigns, though the score reflects repeated abuse seen within the network over time.

Figure 3Figure 3. OMC - Host Radar Detailed View: Detailed Host Radar metrics showing OMC's moderate C2 infrastructure concentration with limited associated malicious artifacts.

Türk Telekom, Turkey's leading telecommunications provider, shows 44 C2 servers alongside 6 malicious open directories over 90 days, carrying a medium bulletproof rating.

The presence of both C2 infrastructure and exposed malicious directories indicates that compromised Turkish telecommunications infrastructure serves as both command-and-control endpoints and staging environments for malware distribution.

Figure 4Figure 4. Türk Telekom - Host Radar Detailed View: Host Radar metrics for Türk Telekom reflecting C2 infrastructure alongside malicious open directories within Turkey's primary telecommunications network.

Regxa Company for Information Technology Ltd, an Iraqi IT solutions provider, shows 38 C2 detections, 1 malicious open directory, 1 IOC, and 1 IOC Hunter post over 90 days. Host Radar assigns it the highest abuse-response score in this dataset, which reflects how often abuse in its ranges goes unremediated.

That score reflects slow or limited abuse response over the window we looked at. It is not a finding that the provider knowingly permits criminal activity, and we are not making that claim.

Figure 5Figure 5. Regxa Company for Information Technology Ltd - Host Radar Detailed View: Host Radar summary for the Iraqi provider, highlighting C2 detections with the highest abuse-response score in this dataset.

With the top Middle Eastern infrastructure hosting providers in mind, let's now focus on analyzing the C2 infrastructure across different ISPs and regions.

Potential C2 Detections Across Middle East ISPs

This section describes how Host Radar was used to detect and attribute C2 infrastructure and related malicious artifacts operating within Middle Eastern hosting environments over a three-month observation window.

After applying Middle East country filters (AE, BH, CY, EG, IL, IQ, IR, JO, KW, LB, PS, SA, SY, TR), the Host Radar summary view reveals 98 distinct infrastructure providers operating within Middle Eastern ISPs, hosting providers, and cloud ecosystems that were associated with malicious activity.

This broad distribution shows the diversity of the Middle East's hosting ecosystem, where malicious infrastructure is spread across telecommunications giants, specialized VPS providers, and cloud platforms rather than concentrated in only a few networks.

Figure 6Figure 6. Host Radar summary view showing malicious infrastructure detected across 98 Middle Eastern ISPs and hosting providers over a three-month analysis window.

Dataset Scope and Observed Infrastructure Landscape Over the Middle East

Across the full set of 98 Middle Eastern infrastructure providers, Host Radar recorded 1,459 malicious artifacts during the three-month observation period. This includes 1,357 C2 servers, 45 malicious open directories, 7 indicators of compromise (IOCs) referenced in public research, 43 IOC Hunter posts, and 7 phishing sites.

The data reveals that C2 infrastructure accounts for the largest share of observed malicious activity at 93.0% of all detected artifacts. Malicious open directories represent 3.1%, IOC Hunter posts 2.9%, phishing sites 0.5%, and publicly reported IOCs 0.5%.

This distribution suggests that Middle Eastern hosting environments are primarily leveraged for C2 operations, with significantly fewer cases of exposed artifacts or phishing infrastructure compared to other global infrastructure ecosystems.

Figure 7Figure 7. Aggregate breakdown of C2 servers (1,357), phishing sites (7), malicious open directories (45), IOC Hunter posts (43), and public IOCs (7) detected within Middle Eastern hosting environments.

Concentration of Potential C2 Infrastructure Across Middle East Providers

STC (Saudi Telecom Company) emerges as the dominant contributor with 981 detections, representing an unprecedented 72.4% of this regional dataset.

This is followed by SERVERS TECH FZCO (111 C2 detections), OMC (62 C2 detections), Türk Telekom (44 C2 detections), and Regxa Company for IT Ltd (38 C2 detections), showing that both large telecommunications providers and specialized hosting companies appear in the regional detections.

Other prominent providers include SERV.HOST GROUP LTD (Cyprus, 25), Hosting Dünyam (Turkey, 15), SUNUCUN BILGI (Turkey, 7), IHS Kurumsal Teknoloji (Turkey, 6), and Paltel (Palestine, 6).

The mix of large telecoms and smaller VPS providers in the top rankings shows how varied the networks are abused by potential threat actors, from consumer ISP space where endpoints get compromised to smaller networks where abuse lingers longer.

Malware Family Distribution Within Middle East Networks

Using HuntSQL, we analyzed the distribution of command-and-control (C2) infrastructure across malware families hosted within Middle Eastern networks over three months.

Example Query:

SELECT
  malware.name,
  uniq(ip) AS COUNTS
FROM
  malware
WHERE
  (asn.country_code='AE' OR asn.country_code='BH' OR asn.country_code='CY' 
  OR asn.country_code='EG' OR asn.country_code='IL' OR asn.country_code='IQ' 
  OR asn.country_code='IR' OR asn.country_code='JO' OR asn.country_code='KW' 
  OR asn.country_code='LB' OR asn.country_code='PS' OR asn.country_code='SA' 
  OR asn.country_code='SY' OR asn.country_code='TR')
  AND timestamp > NOW - 3 MONTH
GROUP BY
  malware.name
ORDER BY
  COUNTS DESC

                
Copy

Output Example:

Figure 8Figure 8. HuntSQL query output showing the dominant malware families hosting C2 infrastructure within Middle East networks over three months.

The results reveal that Tactical RMM leads the dataset with 92 unique detections, representing the largest concentration of C2 infrastructure observed in Middle Eastern hosting environments, reflecting widespread abuse of this legitimate remote management tool for post-exploitation operations.

The second largest cluster, Keitaro (71 C2s), represents a traffic distribution system (TDS) infrastructure, often exploited by threat actors, for malvertising, phishing, and exploit kit campaigns, indicating coordinated campaigns leveraging regional advertising networks and compromised websites.

Acunetix (38 C2s) and Gophish (31 C2s) reflect active scanning and phishing infrastructure, while IoT-focused botnets Mozi (24 C2s) and Hajime (22 C2s) demonstrate continued exploitation of compromised embedded devices across the region.

Several offensive security frameworks and post-exploitation platforms also appear prominently in the dataset. These include Prism X (13), AsyncRAT (12), Sliver (10), Cobalt Strike (8), and Mirai (8), indicating that both commodity malware and sophisticated APT tooling leverage Middle Eastern infrastructure.

This concentration lets defenders focus on shared infrastructure patterns rather than chasing individual malware variants.

Figure 9Figure 9. Bar graph illustrating the distribution of the Top 10 Malware Command-and-Control (C2) Families observed across Middle East infrastructure over the last three months.

Infrastructure Providers Hosting the Widest Malware Diversity

A HuntSQL query was designed to surface organizations hosting the widest variety of malware activity within Middle Eastern networks over the last three months. The query aggregates telemetry by org.name and calculates the number of distinct C2 IPs attributed to an organization (Unique_C2) as well as Unique_Malware, which reflects the diversity of malware families observed within that infrastructure.

Example Query:

SELECT
  org.name,
  uniq(ip) AS Unique_C2,
  uniq(malware.name) AS Unique_Malware
FROM
  malware
WHERE
  org.name != ""
  AND (asn.country_code='AE' OR asn.country_code='BH' OR asn.country_code='CY' 
  OR asn.country_code='EG' OR asn.country_code='IL' OR asn.country_code='IQ' 
  OR asn.country_code='IR' OR asn.country_code='JO' OR asn.country_code='KW' 
  OR asn.country_code='LB' OR asn.country_code='PS' OR asn.country_code='SA' 
  OR asn.country_code='SY' OR asn.country_code='TR')
  AND timestamp > NOW - 3 MONTH
GROUP BY
  org.name
ORDER BY
  Unique_Malware DESC

                
Copy

Output Example:

Figure 10Figure 10. A HuntSQL query aggregating malware telemetry by a Middle East organization to identify providers hosting the widest variety of malware families.

The results show the malware families clustering inside a few of the largest hosting and telecom networks. That tracks with network size more than anything else. More customer endpoints means more hosts an attacker can compromise, so the biggest providers surface most of the spread.

Turk Telekomunikasyon Anonim Sirketi shows 6 distinct malware families across 9 unique endpoints, the highest malware-to-C2 ratio in the dataset. On a carrier that large, that points to a scatter of unrelated compromised hosts rather than a single campaign.

HOSTING DUNYAM BILISIM TEKNOLOJILERI shows 5 distinct malware families across 7 unique endpoints, and O.M.C. COMPUTERS & COMMUNICATIONS LTD shows 5 across 8.

Other providers with notable malware diversity include BlueVPS OU (4 malware families), Private Customer (4), SUNUCUN BILGI (4), NTT DATA (3), Oracle Corporation (3), Microsoft Corporation (3), TE Data (3), and several others.

For the large cloud platforms in this list, like NTT DATA, Oracle, and Microsoft, the detections sit in customer-provisioned instances. The tooling runs in a tenant's space, not on infrastructure the platform operates, and the numbers should be read that way.

That malware diversity maps directly to operational variety. IOC Hunter surfaced campaigns spanning ransomware delivery, state-sponsored espionage, MaaS platforms, and destructive attacks, all running on the same regional infrastructure.

Potential Malicious Campaigns Observed Across Middle East Hosting Environments

The following examples illustrate how the infrastructure patterns identified above translate into active malware campaigns, state-sponsored espionage operations, MaaS platforms, and targeted intrusion campaigns within Middle Eastern hosting environments.

Over the observation period, Hunt.io tracking surfaced Phorpiex (Twizt) botnet C2 server at 94.252.245[.]193 hosted on Syrian Telecom infrastructure, operating a hybrid C2 architecture combining HTTP endpoints with a resilient peer-to-peer UDP layer on port 40,500. The campaign delivered encrypted high-entropy payloads, including XMRig miner, and has previously distributed LockBit Black ransomware.

Figure 11Figure 11. Hunt.io IP intelligence "94.252.245[.]193" highlighting Syrian Telecom infrastructure hosting Phorpiex/Twizt C2 servers with a hybrid HTTP and P2P command-and-control architecture.

Infrastructure observed on Regxa Company for Information Technology Ltd (regxa.iq) was linked to C2 for a February 2026 espionage campaign attributed to the Eagle Werewolf cluster, targeting state and industrial entities using Starlink registration and drone training lures. The multi-stage attack chain deployed EchoGather RAT via Telegram channels and phishing pages, Sliver implant via DLL side-loading through Fondue.exe, SoullessRAT via fake AlphaFly installer, and AquilaRAT (Rust backdoor) leveraging multiple rotating C2 domains.

Figure 12Figure 12. Hunt.io IP intelligence for Regxa Iraq infrastructure hosting Eagle Werewolf APT C2 domains targeting state entities and drone communities.

On Netinternet Bilisim Teknolojileri AS (Turkey), the IP 93.113.62[.]247 was observed in a phishing campaign impersonating generic "Cloud Storage" services to harvest payment details, using disposable domains and Google Cloud Storage for redirect pages.

Figure 13Figure 13. Hunt.io IP intelligence for 93.113.62[.]247 hosted by Netinternet (Turkey), linked to a Cloud Storage impersonation phishing campaign.

Active exploitation of CVE-2025-11953 (Metro4Shell) in React Native CLI was observed with source IP 5.109.182[.]231 on Saudi Arabia's Mobily network (AS35819), delivering Base64-encoded PowerShell scripts that added Microsoft Defender Antivirus exclusions before establishing TCP connections to download Rust-based binaries with anti-analysis checks.

Figure 14Figure 14. Hunt.io IP intelligence for 5.109.182[.]231 hosted by Mobily (Saudi Arabia), linked to Metro4Shell RCE exploitation campaign.

Infrastructure observed on CLODO CLOUD SERVICE CO. L.L.C (UAE) was linked to the DYNOWIPER destructive campaign targeting Poland's energy sector. Per CERT Polska and ESET, the wiper was blocked before causing damage: more than 30 wind and solar sites were targeted, but there was no successful data destruction or outage. Attribution is not settled, CERT Polska points to Static Tundra (an Energetic Bear alias), while ESET and Dragos attribute the activity to Sandworm with moderate confidence.

Figure 15Figure 15. Hunt.io tracked DYNOWIPER strikes Poland's energy sector, a destructive malware campaign exploiting weak access controls to infiltrate critical infrastructure, wipe data across 30+ facilities, and expose the growing risks to SCADA/OT environments.

Bitsight TRACE documented the RondoDox botnet leveraging exploitation server infrastructure at 37.32.15[.]8 on Iranian provider AbrArvan CDN and IaaS, active since May 2025 and peaked at 15,000 daily exploit attempts against internet-exposed devices. The Mirai-like botnet deployed 174 distinct exploits without writing initial implants to disk, executed shell scripts via unauthenticated RCEs, deployed DoS bots supporting 18 architectures, and dropped XMRig miner before connecting to hardcoded C2s.

Figure 16Figure 16. Hunt.io IP intelligence for 37.32.15[.]8 hosted by AbrArvan CDN (Iran), linked to RondoDox botnet exploitation infrastructure.

Sysdig researchers documented a November 2025 intrusion where attackers leveraged AI to compress an AWS attack chain to under 10 minutes, with activity originating from 197.51.170[.]131 on Egyptian ISP TE Data (AS8452). The attack chain included stolen credentials from public S3 RAG datasets, ReadOnlyAccess reconnaissance, Lambda function code injection via UpdateFunctionCode, privilege escalation to admin account "frick," persistence across 19 AWS principals, Amazon Bedrock LLMjacking, and deployment of p4d.24xlarge instance with public JupyterLab on port 8888.

Figure 17Figure 17. Hunt.io IP intelligence for 197.51.170[.]131 hosted by TE Data (Egypt), linked to an AI-powered AWS intrusion campaign.

In another attack, the researcher finds a macOS-focused Phexia campaign that uses ClickFix social-engineering techniques to trick users into running base64-encoded osascript droppers via Terminal. The campaign may be linked to Amatera botnet activity and is tentatively attributed to APT28. Similarly, the CyberProof researchers identified a new ClickFix variant that instructs users to run a rundll32 WebDAV command via Win+R, replacing prior PowerShell/mshta tactics.

Additionally, another research detailed a 10-stage campaign delivering the HellsUchecker backdoor via fake Cloudflare CAPTCHA (ClickFix) that tricks users into executing caret-obfuscated commands.

Figure 18Figure 18. Hunt.io infrastructure tracking for HellsUchecker blockchain-backed backdoor campaign with EtherHiding C2 resolution.

Deception.Pro observed a 12-day intrusion linked to Velvet Tempest that began with malvertising and ClickFix-style fake CAPTCHA instructing users to paste obfuscated commands into Windows Run. The chain leveraged LOLBins (finger.exe, curl.exe, tar.exe, csc.exe) to fetch masqueraded PDF archives and stage follow-on payloads. The tradecraft aligns with Termite ransomware operations, though no encryption event occurred during the observation window.

Figure 19Figure 19. Hunt.io tracking of Velvet Tempest ClickFix campaign infrastructure linked to Termite ransomware operations.

The researcher detailed a long-running FakeGit campaign by a Vietnamese-speaking operator distributing LuaJIT-based loaders via GitHub since March 2025 using cracked extensions, gaming cheats, and other lures, with 50+ rotating C2 endpoints largely hosted on SERV.HOST GROUP infrastructure.

Recorded Future's first public report on GrayCharlie, a threat actor overlapping with SmartApeSG, documented how the actor compromises WordPress sites to inject external JavaScript redirecting users to NetSupport RAT payloads.

Figure 20Figure 20. Hunt.io IOC Hunter showing a brief summary of the GrayCharlie WordPress compromise campaign targeting U.S. law firms.

Breakglass Intelligence reports the CLICKSMOKE MaaS platform remains active with its C2 panel hosted on DEDIK SERVICES LIMITED infrastructure, while previously exposed builds were rotated out. Another attack reported by Breakglass intelligence, mapped nine live Needle Malware-as-a-Service customer panels confirmed on April 22, 2026, showing consistent HTTP fingerprints and unique Vite bundles per panel, validating a multi-tenant operational model.

These examples demonstrate how Middle Eastern hosting providers support a diverse threat landscape, ranging from state-sponsored espionage and destructive operations to commodity malware, MaaS platforms, cryptomining, and advanced intrusion campaigns.

Infrastructure Observables

This research draws on a large set of infrastructure-level observables: IP addresses, domains, and endpoints across Middle Eastern ISPs and hosting providers. Some are confirmed malicious through corroborating evidence. Others are detections where a tool tied to threat activity was fingerprinted on a reachable host, which is a lead rather than a verdict, as noted at the top.

Given the scale of the dataset, with more than 1,350 active C2 endpoints observed over three months across 14 countries and 98 providers, publishing a static list here would provide limited operational value.

Teams interested in accessing this data with proper context, attribution, and historical tracking can reach out to discuss research collaboration or operational access to the full dataset.

Conclusion

The three-month window shows that malicious infrastructure in the Middle East is not spread evenly. More than 1,350 C2 detections across 98 providers tells you concentration is the pattern, not the exception. Knowing which networks attackers keep landing in changes how defenders prioritize, block, and monitor.

A host-centric approach is what makes that possible. Instead of chasing individual indicators that rotate daily, teams can track the hosting environments, ASNs, and provider patterns that attackers keep coming back to. That's where the leverage is, and that's where this kind of analysis pays off.

Ready to see it in practice? Book a demo and explore how Host Radar and the Hunt.io platform can help your team track adversary infrastructure at scale, before it becomes an incident.