Middle East Telecom Networks Exploited In Command-and-Control Campaign

Hunt.io analysis (Feb–May 2026) found 1,357 active C2 servers across 14 Middle Eastern countries—concentrated heavily in Saudi Telecom Company—hosting a mix of commodity malware, IoT botnets, RATs, Cobalt Strike/Sliver, and ransomware (including LockBit Black). The report documents real-world campaigns (phishing, Telegram lures, exploit chains such as CVE-2025-11953/Metro4Shell), MaaS activity, and recommends defenders prioritize tracking infrastructure providers and ASN-level resources rather than ephemeral IOCs.