Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: middle-east (1 article)Clear

Hunt.io: Saudi Telecom hosts 72% of Middle East C2 servers; 1,350+ servers across 98 providers in 14 countries

Hunt.io has mapped 1,350+ command-and-control servers spread across 98 providers in 14 Middle Eastern countries over three months. Saudi Telecom Company (STC) hosts 981 of them - 72.4% of all observed regional C2 - the largest single-provider concentration the researchers have seen globally. Most of STC's hosting appears to be compromised customer systems rather than deliberate bulletproof hosting, but the effect is the same. Other heavy hosts include SERVERS TECH FZCO (UAE), OMC (Israel), Türk Telekom, and Iraqi provider Regxa, which Hunt.io flags as the highest bulletproof-hosting profile observed. Named campaigns hosted on this infrastructure include Eagle Werewolf espionage, DYNOWIPER attacks on Poland's energy sector, and RondoDox.

Check
Add STC, SERVERS TECH FZCO, OMC, Türk Telekom, and Regxa to your provider-level egress monitoring and threat-intel correlation. Pull Hunt.io's published IoC list for the named campaigns.
Affected
Any organization whose users or systems communicate with Middle Eastern infrastructure. Provider-level visibility (versus per-IP) is now the more durable signal as attackers rotate domains and IPs daily.
Fix
Shift detection rules from per-IP IoCs to provider/ASN-level monitoring where business-justified. Block known bulletproof providers like Regxa at egress. Add Cobalt Strike, AsyncRAT, Mirai, and Sliver beacon hunts.