Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: hunt-io (2 articles)Clear

Hunt.io: Saudi Telecom hosts 72% of Middle East C2 servers; 1,350+ servers across 98 providers in 14 countries

Hunt.io has mapped 1,350+ command-and-control servers spread across 98 providers in 14 Middle Eastern countries over three months. Saudi Telecom Company (STC) hosts 981 of them - 72.4% of all observed regional C2 - the largest single-provider concentration the researchers have seen globally. Most of STC's hosting appears to be compromised customer systems rather than deliberate bulletproof hosting, but the effect is the same. Other heavy hosts include SERVERS TECH FZCO (UAE), OMC (Israel), Türk Telekom, and Iraqi provider Regxa, which Hunt.io flags as the highest bulletproof-hosting profile observed. Named campaigns hosted on this infrastructure include Eagle Werewolf espionage, DYNOWIPER attacks on Poland's energy sector, and RondoDox.

Check
Add STC, SERVERS TECH FZCO, OMC, Türk Telekom, and Regxa to your provider-level egress monitoring and threat-intel correlation. Pull Hunt.io's published IoC list for the named campaigns.
Affected
Any organization whose users or systems communicate with Middle Eastern infrastructure. Provider-level visibility (versus per-IP) is now the more durable signal as attackers rotate domains and IPs daily.
Fix
Shift detection rules from per-IP IoCs to provider/ASN-level monitoring where business-justified. Block known bulletproof providers like Regxa at egress. Add Cobalt Strike, AsyncRAT, Mirai, and Sliver beacon hunts.

One unpatched Quest KACE box at a Boston MSP exposed 60+ named client organizations - law enforcement, schools, healthcare, and government on one MariaDB dump (CVE-2025-32975)

Quest KACE has a year-old maximum-severity authentication bypass (CVE-2025-32975, CVSS 10.0). Hunt.io researchers now report that an attacker exploited an unpatched KACE appliance at a Boston-area managed services provider called HIQ - then left their entire toolkit on a publicly accessible server with directory listing turned on. The exfiltrated 512 MB MariaDB dump turned out to contain the full appliance-managed endpoint list for over 60 named client organizations spanning law enforcement, government, healthcare, education, and private companies. None of those 60-plus organizations had any KACE relationship of their own - they were just customers of the MSP that ran it unpatched.

Check
Inventory Quest KACE SMA instances reachable from the public internet, check their version against the May 2025 patched build, and review helpdesk tickets and asset records for sensitive material that would surface in a database dump.
Affected
Quest KACE Systems Management Appliance (SMA) instances at or below the pre-May 2025 patched version. CVSS 10.0 unauthenticated SSO impersonation. CISA KEV-listed since April 2026.
Fix
Apply Quest's May 2025 patched version immediately. Remove KACE SMA from direct internet exposure (place behind VPN or firewall), rotate KACE admin credentials, and audit for unauthorized accounts created via runkbot.exe.