Middle East Telecom Networks Face C2 Abuse Arabian Post

2026-05-23 02:20:44

(MENAFN- The Arabian Post) clearfix">Hackers are turning Middle East telecoms and hosting networks into a major command-and-control layer, exposing a regional cyber risk that now extends beyond compromised devices to the infrastructure patterns that sustain attacks.

A three-month mapping of malicious activity between 1 February and 1 May identified more than 1,350 active C2 servers across 98 infrastructure providers in 14 countries, including Saudi Arabia, the UAE, Turkey, Israel, Iraq, Iran, Egypt, Kuwait, Lebanon, Jordan, Bahrain, Syria, Cyprus and Palestine. The findings point to a sharp concentration of attacker-controlled communications inside a relatively small group of networks, raising concerns for telecom operators, hosting companies, enterprises and public-sector defenders.

C2 servers are used by attackers to issue instructions to malware, receive stolen data, control botnets and maintain access inside compromised systems. Their presence inside telecom and hosting environments does not necessarily mean the providers themselves have been breached. In many cases, the infrastructure appears to involve infected customer devices, exposed servers, virtual private servers or abused hosting accounts operating within legitimate networks.

Saudi Telecom Company accounted for 981 detected C2 servers, representing about 72.4 per cent of observed regional C2 activity during the assessment period. The concentration was the largest identified across a single provider in the dataset. The more likely explanation is large-scale compromise of customer systems and devices within a vast network footprint, rather than direct operational involvement by the carrier.

Other providers with significant exposure included SERVERS TECH FZCO in the UAE, OMC in Israel, Türk Telekom and Regxa in Iraq. The pattern shows how attackers mix large consumer internet networks with smaller hosting firms, virtual server operators and providers that accept cryptocurrency payments. This combination helps malicious campaigns remain resilient even when individual IP addresses, domains or servers are taken down.

See also BitLocker bypass raises Windows recovery risks

C2 infrastructure made up about 96.8 per cent of the malicious artefacts observed, far outweighing phishing infrastructure, exposed directories and publicly reported indicators of compromise. That imbalance suggests threat actors are relying heavily on persistent network-level infrastructure rather than short-lived phishing assets alone. It also underlines why defenders are shifting attention from disposable indicators to provider-level behaviour, autonomous system numbers, hosting clusters and recurring infrastructure relationships.

The malware families and tools observed across the region include Mirai, Mozi and Hajime botnets, along with Cobalt Strike, Sliver, Tactical RMM, AsyncRAT, Gophish and other post-exploitation or remote-access frameworks. The mix covers commodity cybercrime, malware-as-a-service operations, cryptomining, espionage-linked campaigns and targeted intrusions. IoT-focused botnets remain especially relevant because routers, cameras and poorly secured network devices can be absorbed into large relay networks with minimal visibility to their owners.

The issue is not confined to criminal activity. The region's telecoms and hosting providers sit inside a wider geopolitical cyber environment shaped by espionage, regional conflict, surveillance concerns and attacks on critical infrastructure. Telecom networks are especially valuable because they carry customer traffic, enterprise connectivity, mobile data, signalling systems and internet access for government and private-sector users. Even when an operator is not the target, abuse of its network can damage trust, invite regulatory scrutiny and complicate incident response.

For defenders, the main lesson is that individual indicators of compromise are no longer enough. Attackers can rotate domains, IP addresses and malware payloads quickly, but they often reuse the same hosting environments, registrar patterns, server configurations, certificates and network paths. Tracking those recurring traits allows security teams to detect preparation activity before a campaign is fully activated.

See also Trellix breach sharpens source code concerns

Telecom operators and hosting companies face pressure to improve abuse detection, customer notification, network telemetry and takedown coordination. Greater visibility into outbound connections from infected endpoints, faster suspension of malicious virtual servers, stronger identity checks for hosting customers and closer cooperation with national cyber agencies could reduce the persistence of such infrastructure. Enterprises using regional providers may also need to review egress filtering, DNS monitoring, endpoint controls and threat-hunting rules tied to suspicious C2 behaviour.

The findings also carry a commercial message for the region's digital economy. Gulf and Middle East economies are investing heavily in cloud services, artificial intelligence infrastructure, fintech, digital government and smart-city platforms. Those ambitions depend on trusted connectivity. A telecom or hosting ecosystem repeatedly used by attackers can become a silent operational base for campaigns aimed at banks, energy firms, transport networks, public bodies and cross-border supply chains.

MENAFN23052026000152002308ID1111158880

Legal Disclaimer:
MENAFN provides the information “as is” without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the provider above.