InfoSecBulletin Cybersecurity for mankind
Hackers are using Middle East phone and internet networks more often to run big command-and-control systems. The results show a change from temporary signs to tracking at the infrastructure level, helping defenders find ongoing patterns in cyber attacks instead of just responding to changing signs of trouble.
The data shows that C2 infrastructure is the main source of bad activity in the area, making up more than 90 percent of all the items seen, much more than phishing scams, open directories, and known indicators.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
One big finding is that a lot of activity happens in major telecom networks. The Saudi Telecom Company (STC) has 981 C2 servers, making up about 72 percent of all C2 systems found in the area.
Researchers think this focus comes from weak customer devices in the telecom network, not from a direct attack on the provider. This means that big ISP systems are being used as a way for attackers to control their systems.
Hunt.io reported to GBhackers that researchers found over 1,350 active C2 servers. These servers are spread across 98 providers in 14 countries like Saudi Arabia, the UAE, Turkey, Israel, Iran, Iraq, and Egypt.
Other well-known companies are UAE’s SERVERS TECH FZCO with over 100 C2 nodes, Israel’s OMC with more than 60, Turkey’s Türk Telekom with over 40, and Iraq’s Regxa, which has a smaller but steady presence and can handle bad activity well.
Hackers Exploit Middle East Telecoms
The presence of large telecom companies and smaller VPS providers shows how attackers fit into different network setups to stay strong and not get caught.
Host Radar found 1,459 harmful items across 98 infrastructure providers in the Middle East during three months. This includes 1,357 command and control servers, 45 bad open directories, 7 indicators of compromise in public studies, 43 IOC Hunter posts, and 7 phishing sites.
A small number of providers help create a big part of harmful infrastructure.
This clustering effect helps bad actors use the same systems, plan their actions early, and keep hidden access points ready for when they are needed. In many recorded cases, systems tied to advanced persistent threat groups were found weeks before real attacks happened.
Many types of malware seen in these networks include both common botnets and advanced tools used after an attack.
Tactical RMM, Cobalt Strike, and Sliver are tools that many people use with IoT botnets like Mirai, Mozi, and Hajime. This mix shows how cybercrime and state-related activities are using the same system.
Many offensive security tools and post-exploitation platforms are clearly seen in the dataset. These are Prism X (13), AsyncRAT (12), Sliver (10), Cobalt Strike (8), and Mirai (8). This shows that both common malware and advanced APT tools use Middle Eastern infrastructure.
Real-world campaigns linked to the infrastructure involve sending ransomware, cryptomining work, phishing efforts, and spying actions.
Researchers found Phorpiex botnet C2 servers on Syrian telecom networks. These servers sent out both cryptominers and ransomware. Other groups used telecom IP addresses to take advantage of weaknesses, use remote access trojans, and carry out attacks focused on the cloud.
The report highlights that watching infrastructure providers, self-driving systems, and hosting patterns gives a stronger defense. By paying attention to the networks often used by attackers, organizations can better predict threats, prioritize monitoring, and stop operations before they happen.
