Tuesday , July 14 2026
Middle East

Hackers Use Middle East Telecoms for Large C2 Operations

Hackers are using Middle East phone and internet networks more often to run big command-and-control systems. The results show a change from temporary signs to tracking at the infrastructure level, helping defenders find ongoing patterns in cyber attacks instead of just responding to changing signs of trouble.

The data shows that C2 infrastructure is the main source of bad activity in the area, making up more than 90 percent of all the items seen, much more than phishing scams, open directories, and known indicators.

Meta’s louisiana data center to exceed 250 billion price tag

Meta announced on Monday that its data center in Richland Parish, Louisiana, will grow to 5 gigawatts of computing power....
Read More
Meta’s louisiana data center to exceed 250 billion price tag

Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Global ransomware attacks stayed very high in the first seven months of 2026. There were 5,064 confirmed victims in 135...
Read More
Ransomware Crisis in 2026: 5,064 Organizations Affected in 135 Countries

Palo Alto Networks Addresses 13 Vulnerabilities

Palo Alto Networks shared warnings on Wednesday about over twelve security issues in its products. The new warnings include 13 security...
Read More
Palo Alto Networks Addresses 13 Vulnerabilities

Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

A critical flaw with how Dell saves BIOS passwords lets anyone quickly recover these passwords from a flash dump without...
Read More
Critical Dell BIOS & Zimbra Flaws Expose Enterprise Systems

CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

CoLoCity is proud to launch a new Data Center in Gulshan-2. It is designed to meet the growing demand for...
Read More
CoLoCity Launches New 1.0 MW Data Center Facility at Gulshan

Daily Cyber security update for 10. 07. 2026

Cyberattacks are rising around the world, including ransomware, malware, data leaks, and hacked websites. These events show how complex and...
Read More
Daily Cyber security update for 10. 07. 2026

How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

A major AWS attack shows how attackers with AI can connect known cloud strategies to go from first access to...
Read More
How Hacker Compromise AWS Cloud Environment Using AI in 72 Hours

Mycelium Framework: First AI-as-a-Service Botnet

A new cybercrime ad is catching attention in the security world. It talks about a botnet that doesn't just get...
Read More
Mycelium Framework: First AI-as-a-Service Botnet

CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

CrowdStrike has shared five new ways to inject prompts, showing the rising danger to AI agents as more organizations use...
Read More
CrowdStrike Shows 5 New Prompt Injection Techniques for AI Agents

Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

A critical flaw in Google Cloud Platform’s Dialogflow CX lets attackers add harmful code to a company's AI chatbot system....
Read More
Critical GCP Dialogflow Vulnerability Allows Malicious Code Injection

One big finding is that a lot of activity happens in major telecom networks. The Saudi Telecom Company (STC) has 981 C2 servers, making up about 72 percent of all C2 systems found in the area.

Researchers think this focus comes from weak customer devices in the telecom network, not from a direct attack on the provider. This means that big ISP systems are being used as a way for attackers to control their systems.

Hunt.io reported to GBhackers that researchers found over 1,350 active C2 servers. These servers are spread across 98 providers in 14 countries like Saudi Arabia, the UAE, Turkey, Israel, Iran, Iraq, and Egypt.

STC (Saudi Telecom Company) – Host Radar Detailed View: Per-provider Host Radar breakdown for STC (Source : Hunt.io).

Other well-known companies are UAE’s SERVERS TECH FZCO with over 100 C2 nodes, Israel’s OMC with more than 60, Turkey’s Türk Telekom with over 40, and Iraq’s Regxa, which has a smaller but steady presence and can handle bad activity well.

Hackers Exploit Middle East Telecoms

The presence of large telecom companies and smaller VPS providers shows how attackers fit into different network setups to stay strong and not get caught.

Host Radar found 1,459 harmful items across 98 infrastructure providers in the Middle East during three months. This includes 1,357 command and control servers, 45 bad open directories, 7 indicators of compromise in public studies, 43 IOC Hunter posts, and 7 phishing sites.

Aggregate breakdown of C2 servers (1,357), phishing sites (7), malicious open directories (45), IOC Hunter posts (43), and public IOCs (7) detected within Middle Eastern hosting environments (Source : Hunt.io).

A small number of providers help create a big part of harmful infrastructure.

This clustering effect helps bad actors use the same systems, plan their actions early, and keep hidden access points ready for when they are needed. In many recorded cases, systems tied to advanced persistent threat groups were found weeks before real attacks happened.

Many types of malware seen in these networks include both common botnets and advanced tools used after an attack.

Tactical RMM, Cobalt Strike, and Sliver are tools that many people use with IoT botnets like Mirai, Mozi, and Hajime. This mix shows how cybercrime and state-related activities are using the same system.

Many offensive security tools and post-exploitation platforms are clearly seen in the dataset. These are Prism X (13), AsyncRAT (12), Sliver (10), Cobalt Strike (8), and Mirai (8). This shows that both common malware and advanced APT tools use Middle Eastern infrastructure.

                                                               Top malware C2 families (Source : Hunt.io).

Real-world campaigns linked to the infrastructure involve sending ransomware, cryptomining work, phishing efforts, and spying actions.

Researchers found Phorpiex botnet C2 servers on Syrian telecom networks. These servers sent out both cryptominers and ransomware. Other groups used telecom IP addresses to take advantage of weaknesses, use remote access trojans, and carry out attacks focused on the cloud.

The report highlights that watching infrastructure providers, self-driving systems, and hosting patterns gives a stronger defense. By paying attention to the networks often used by attackers, organizations can better predict threats, prioritize monitoring, and stop operations before they happen.

Check Also

CLI

Azure CLI Password Spray Impacts 78 Microsoft Accounts in 81M+ Attempts

Cybersecurity researchers have warned of a “massive, ongoing, automated password spray attack” aimed at Microsoft’s …