One Telecom Provider Hosted Most of the Middle East ’s Active C2 Infrastructure

Hunt.io mapped 1,350+ C2 servers across 98 providers in 14 Middle Eastern countries over a three-month window and found extreme concentration of malicious infrastructure—over 72% of regional C2s were hosted by a single provider (Saudi Telecom Company). The analysis catalogues observed malware families (Cobalt Strike, AsyncRAT, Mirai, Sliver, Mozi, Hajime, Tactical RMM, Gophish, etc.), links infrastructure to campaigns and espionage activity (including the Eagle Werewolf cluster, DYNOWIPER, and RondoDox), and recommends prioritizing provider-level telemetry because attackers repeatedly reuse hosting providers and compromised customer systems.