Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: hosting (2 articles)Clear

Netherlands seizes 800 servers of Stark Industries successor WorkTitans/THE.Hosting - links to NoName057(16) Russian hacktivists

The Dutch Financial Crime Investigation Service (FIOD) has arrested two men and seized 800 servers during raids on data centers in Dronten and Schiphol-Rijk that hosted infrastructure for cyberattacks, disinformation, and influence operations tied to sanctioned Russian and Belarusian entities. The 57-year-old company director and a 39-year-old connectivity provider face charges of indirectly providing economic resources to EU-sanctioned parties. The web hosting company Stark Industries was sanctioned by the EU last May; investigators say its infrastructure was simply transferred to a newly created Dutch company called WorkTitans B.V., trading under THE.Hosting. Mirhosting, which provided physical colocation and connectivity, denies knowingly supporting illegal operations.

Check
Search egress logs for connections to Stark Industries or THE.Hosting / WorkTitans IP ranges since 2022. Cross-reference with NoName057(16) DDoS infrastructure published by national CERTs.
Affected
Targets of pro-Russian disinformation, DDoS, and influence operations - particularly EU government, banking, and critical-infrastructure sectors. NoName057(16) frequently targets Ukrainian allies.
Fix
Block known Stark Industries / WorkTitans / Mirhosting IP ranges at the perimeter where there is no legitimate business need. Refresh DDoS protection runbooks for NoName057(16) campaigns.

Hunt.io: Saudi Telecom hosts 72% of Middle East C2 servers; 1,350+ servers across 98 providers in 14 countries

Hunt.io has mapped 1,350+ command-and-control servers spread across 98 providers in 14 Middle Eastern countries over three months. Saudi Telecom Company (STC) hosts 981 of them - 72.4% of all observed regional C2 - the largest single-provider concentration the researchers have seen globally. Most of STC's hosting appears to be compromised customer systems rather than deliberate bulletproof hosting, but the effect is the same. Other heavy hosts include SERVERS TECH FZCO (UAE), OMC (Israel), Türk Telekom, and Iraqi provider Regxa, which Hunt.io flags as the highest bulletproof-hosting profile observed. Named campaigns hosted on this infrastructure include Eagle Werewolf espionage, DYNOWIPER attacks on Poland's energy sector, and RondoDox.

Check
Add STC, SERVERS TECH FZCO, OMC, Türk Telekom, and Regxa to your provider-level egress monitoring and threat-intel correlation. Pull Hunt.io's published IoC list for the named campaigns.
Affected
Any organization whose users or systems communicate with Middle Eastern infrastructure. Provider-level visibility (versus per-IP) is now the more durable signal as attackers rotate domains and IPs daily.
Fix
Shift detection rules from per-IP IoCs to provider/ASN-level monitoring where business-justified. Block known bulletproof providers like Regxa at egress. Add Cobalt Strike, AsyncRAT, Mirai, and Sliver beacon hunts.