CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 23, 2026

Hackers Abuse Middle East Telecom Networks for Large-Scale Command-and-Control Operations

Cybersecurity News Archived May 23, 2026 ✓ Full text saved

Hackers are using telecom networks and hosting providers across the Middle East as a foundation for massive command-and-control operations, turning trusted infrastructure into a launchpad for cyberattacks. A newly released threat intelligence report reveals that more than 1,350 active command-and-control (C2) servers were identified across 98 infrastructure providers in the region within just three months. […] The post Hackers Abuse Middle East Telecom Networks for Large-Scale Command-and-Contro

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Hackers Abuse Middle East Telecom Networks for Large-Scale Command-and-Control Operations By Tushar Subhra Dutta May 22, 2026 Hackers are using telecom networks and hosting providers across the Middle East as a foundation for massive command-and-control operations, turning trusted infrastructure into a launchpad for cyberattacks. A newly released threat intelligence report reveals that more than 1,350 active command-and-control (C2) servers were identified across 98 infrastructure providers in the region within just three months. The scale of the activity is striking. Researchers analyzed infrastructure across 14 countries, including Saudi Arabia, the UAE, Turkey, Israel, Iraq, Iran, Egypt, and Syria, and found that C2 infrastructure makes up roughly 93% of all malicious activity detected. The remaining share is split between exposed malicious directories, phishing sites, and publicly documented threat indicators. Analysts at Hunt.io said in a report shared with Cyber Security News (CSN) that their Host Radar module was used to correlate C2 servers, phishing infrastructure, and open directories back to the providers and network operators supporting them. The findings paint a clear picture of how attackers deliberately pick specific hosting environments to build out their operations. What makes the report particularly alarming is not just the volume, but the concentration. Saudi Arabia’s STC (Saudi Telecom Company) alone accounts for 981 of the detected C2 servers, which is 72.4% of all regional C2 infrastructure, the largest concentration observed at any single provider worldwide. Researchers believe this reflects abuse of compromised customer endpoints rather than servers directly managed by the provider. The types of threats running on this infrastructure range widely. IoT-focused botnets, offensive hacking frameworks, phishing kits, ransomware delivery systems, and state-sponsored espionage tools were all found operating across the same regional networks. This pointing to a broader threat landscape where criminal groups and nation-state actors share the same underlying infrastructure. Hackers Abuse Middle East Telecom Networks The abuse of major telecom carriers is one of the most defining features of this threat landscape. Beyond STC, other major telecoms appear in the data, including Türk Telekom with 44 C2 servers and 6 exposed malicious directories. Türk Telekom also leads in malware diversity, hosting 6 distinct malware families across 9 unique C2 endpoints, the highest ratio in the dataset. Alongside the big telecoms, specialized hosting providers are playing a growing role. SERVERS TECH FZCO in the UAE was tied to 111 C2 servers, while Regxa Company in Iraq showed 38 C2 servers and carried the highest bulletproof rating of any provider in the dataset. A bulletproof rating indicates a hosting provider has a pattern of being slow to respond to abuse reports. The dominant malware families running across these networks include Tactical RMM with 92 unique C2 IPs, Keitaro traffic distribution system with 71, Acunetix with 38, and Gophish with 31. Malicious infrastructure detected across 98 Middle Eastern ISPs (Source – Hunt.io) Offensive frameworks like Cobalt Strike, Sliver, and AsyncRAT also appeared, confirming that both commodity criminals and sophisticated attackers are active in the same space. Malicious Campaigns Observed Across the Region Several active attack campaigns were tied directly to this infrastructure. The Phorpiex (Twizt) botnet was found running on Syrian Telecom infrastructure, using a hybrid setup combining standard web communication with a peer-to-peer layer to deliver encrypted payloads, including a cryptocurrency miner that has previously distributed LockBit Black ransomware. A separate espionage campaign linked to the Eagle Werewolf cluster used Iraqi hosting on Regxa infrastructure to deploy multiple remote access tools via phishing lures based on Starlink registration and drone training themes. On Saudi Arabia’s Mobily network, researchers found active exploitation of CVE-2025-11953, a React Native CLI vulnerability, where attackers used encoded scripts to disable security tools before downloading malicious binaries. Iran-hosted infrastructure was linked to the RondoDox botnet, which peaked at 15,000 daily exploit attempts against internet-exposed devices. Defenders are encouraged to shift focus away from chasing individual threat indicators and instead monitor the hosting providers, ASNs, and network-level patterns that attackers return to repeatedly. Hunt.io noted that tracking infrastructure at the provider level gives security teams a way to anticipate attacker behavior rather than simply reacting after the fact. Indicators of Compromise (IoCs):- Type Indicator Description IP Address 94.252.245[.]193 Phorpiex (Twizt) botnet C2 server hosted on Syrian Telecom infrastructure; hybrid HTTP and P2P C2 architecture IP Address 93.113.62[.]247 Phishing campaign hosted on Netinternet (Turkey) impersonating Cloud Storage services to harvest payment details IP Address 5.109.182[.]231 Metro4Shell (CVE-2025-11953) RCE exploitation campaign hosted on Mobily (Saudi Arabia) IP Address 37.32.15[.]8 RondoDox botnet exploitation infrastructure hosted on AbrArvan CDN (Iran); active since May 2025 IP Address 197.51.170[.]131 AI-powered AWS intrusion campaign; hosted on TE Data (Egypt); linked to credential theft and LLMjacking Malware Family Tactical RMM Legitimate remote management tool abused for post-exploitation C2; 92 unique IPs across Middle East Malware Family Keitaro TDS Traffic distribution system used in malvertising and phishing campaigns; 71 C2 IPs Malware Family Phorpiex / Twizt Botnet delivering XMRig miner and LockBit Black ransomware via hybrid C2 on Syrian Telecom Malware Family RondoDox Mirai-like botnet; 174 exploits; peaked at 15,000 daily attempts; Iranian CDN hosting Malware Family EchoGather RAT Deployed via Telegram channels in Eagle Werewolf espionage campaign on Regxa (Iraq) infrastructure Malware Family AquilaRAT Rust-based backdoor used in Eagle Werewolf campaign with rotating C2 domains Malware Family SoullessRAT Delivered via fake AlphaFly installer in Eagle Werewolf multi-stage attack chain Malware Family DYNOWIPER Destructive wiper malware attributed to ENERGETIC BEAR; hosted on CLODO CLOUD SERVICE (UAE) CVE CVE-2025-11953 Metro4Shell vulnerability in React Native CLI; exploited via Saudi Arabia’s Mobily network Infrastructure regxa.iq Regxa Company for Information Technology Ltd (Iraq); highest bulletproof rating in dataset; Eagle Werewolf C2 hosting Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Hackers Abuse Microsoft Entra ID Accounts to Exfiltrate Microsoft 365 and Azure Data Dark Web Brokers Repackage Old Breaches as Fresh Corporate Data Leaks Hackers Use Single-Letter Go Module Typosquat to Deploy DNS-Based Backdoor Linus Torvalds Says AI Bug Reports Have Made Linux Security Mailing List Unmanageable BadIIS Malware Turns Hijacks IIS Servers and Redirect Users to Illicit Sites Latest News Cyber Security News Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial Access Cyber Security News Hackers Backdoor Popular art-template npm Package to Launch Watering-Hole Attacks Cyber Security News Hackers Use Six-Layer Persistence to Maintain Access on Compromised FreePBX Systems Cyber Security News Hackers Use NF-e Invoice Lures to Deliver Banana RAT Through Malicious Batch Files Cyber Security News Ubiquiti Patches Critical UniFi OS Vulnerabilities Allowing Remote Privilege Escalation
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 23, 2026
    Archived
    May 23, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗