Malicious infrastructure provider concentration
Summary
Hunt.io's 2026 regional infrastructure reports are useful reminders that defender value is often at the hosting-provider and ASN layer, not only at the individual indicator layer. Its May 2026 Middle East report covered more than 1,350 active C2 servers across 98 Middle East infrastructure providers in 14 countries; its June 2026 Eastern Europe report expanded the same pattern to more than 3,900 active C2 servers across 302 providers in 10 countries, again with activity heavily concentrated in a small number of hosting and telecommunications networks.
Treat this as a reusable pattern: attackers rotate domains, IPs, payloads, and disposable panels quickly, but the providers, ASNs, abuse-response gaps, payment models, and compromised access networks they return to can remain stable enough to drive exposure review, risk scoring, and threat hunting.
Tags
- patterns
- infrastructure
- C2
- command and control
- hosting providers
- ASNs
- telecommunications
- abuse response
- Middle East
- Hunt.io
- Host Radar
- Tactical RMM
- Keitaro
- Mozi
- Hajime
- Mirai
- Sliver
- Cobalt Strike
- incident response
Why this matters
- Disposable IOCs are still useful for blocking and triage, but they age quickly; provider-level concentration can show where multiple unrelated operations keep reappearing.
- Concentrated abuse can come from different causes: compromised customer endpoints, permissive VPS hosting, slow abuse handling, weak customer screening, cryptocurrency payment support, or regional connectivity that actors find useful.
- A single provider can host very different activity classes at once, including botnet C2, offensive-security frameworks, phishing, exposed staging directories, MaaS panels, cryptomining, and state-aligned intrusion infrastructure.
- Provider-level context helps defenders prioritize enrichment, egress review, ASN risk scoring, third-party allowlists, and incident scoping without publishing or depending on a static list of quickly rotating IP addresses.
Hunt.io Eastern Europe case study
Hunt.io's June 2026 Host Radar analysis covered Belarus, Bulgaria, the Czech Republic, Hungary, Poland, Moldova, Romania, Russia, Slovakia, and Ukraine over a March 12-June 12, 2026 observation window.
Key reported observations:
- Hunt.io identified 3,923 C2 servers within 4,331 total malicious detections across 302 Eastern European infrastructure providers.
- Friendhosting LTD in Bulgaria accounted for 2,100 detected C2 servers, about 53.5% of the regional C2 dataset.
- Other top C2 concentrations included JSC TIMEWEB with 277 detections, PQ HOSTING PLUS S.R.L. with 175, Neterra with 137, AlexHost with 120, WebHost1 with 118, ZetServers with 101, Webinvest Plus with 88, VDSina with 77, and M247 with 66.
- Malware-family clustering was led by Keitaro with 1,277 unique C2 IPs, followed by Tactical RMM with 232, Acunetix with 173, Gophish with 122, Hajime with 106, Mozi with 82, Cobalt Strike with 35 verified plus 44 unverified detections, Sliver with 35, and Mirai with 27.
- Hunt.io tied the provider-level view back to concrete campaigns, including Cloud Atlas infrastructure on M247 Europe,
@velora-dex/sdk/ MINIRAT staging on Romanian AS9009 infrastructure, Oracle PeopleSoft CVE-2026-35273 exploitation linked to Proton66 OOO infrastructure, Nemesys ransomware activity from FlyServers, Fluffy Wolf phishing and Black Basta-affiliate Teams vishing infrastructure on VDSina, Silent Ransom Group fast-flux infrastructure on A1 Bulgaria, and XenoRAT signals connected to The Gentlemen ransomware operations. - At a subsystem level, Hunt.io reported management infrastructure as the largest category with 1,496 unique IPs in the analyzed cut, followed by explicitly tagged C2 infrastructure, red-team tools, phishing infrastructure, and smaller dedicated team-server infrastructure.
The Eastern Europe report reinforces the core defender lesson from earlier regional studies: a small number of hosting relationships can carry many distinct criminal, ransomware, traffic-distribution, remote-management, and state-aligned activity clusters at once.
Hunt.io Middle East case study
Hunt.io analyzed telemetry across providers in the UAE, Saudi Arabia, Turkey, Israel, Iraq, Iran, Cyprus, Egypt, Kuwait, Lebanon, Palestine, Jordan, Bahrain, and Syria.
Key reported observations:
- Hunt.io identified more than 1,350 C2 servers across 98 providers during the three-month window.
- The broader dataset contained 1,459 malicious artifacts, including 1,357 C2 servers, 45 malicious open directories, 7 phishing sites, 7 public IOCs, and 43 IOC Hunter posts.
- C2 activity dominated the dataset; Hunt.io described C2 infrastructure as roughly 93% of observed artifacts in the detailed dataset and used a higher ~96.8% figure in its key-observation framing.
- STC / Saudi Telecom Company accounted for 981 detected C2 servers, about 72.4% of the regional C2 dataset. Hunt.io caveats that this likely reflects abuse of a large telecommunications network and customer base rather than provider-hosted infrastructure alone.
- Other top C2 concentrations included SERVERS TECH FZCO in the UAE with 111 C2 detections, O.M.C. Computers & Communications in Israel with 62, Türk Telekom with 44, and Regxa Company for Information Technology in Iraq with 38.
- Malware-family clustering included Tactical RMM with 92 unique C2 IPs, Keitaro with 71, Acunetix with 38, Gophish with 31, Mozi with 24, Hajime with 22, Prism X with 13, AsyncRAT with 12, Sliver with 10, Cobalt Strike with 8, and Mirai with 8.
Hunt.io also highlighted operational examples mapped into regional infrastructure, including Phorpiex / Twizt botnet C2, Eagle Werewolf-linked espionage infrastructure on Iraqi hosting, Cloud Storage-themed phishing on Turkish hosting, Metro4Shell exploitation activity sourced from Saudi infrastructure, RondoDox botnet exploitation infrastructure in Iran, AI-compressed AWS intrusion activity sourced from Egyptian ISP space, ClickFix chains, FakeGit loader infrastructure, GrayCharlie / NetSupport RAT redirects, and MaaS customer panels.
Defender heuristics
Enrichment and prioritization
- Add ASN, organization, hosting-provider, country, payment-model, and abuse-response context to C2, phishing, open-directory, and malware-download indicators.
- Track provider recurrence across incidents: multiple malware families, unrelated campaigns, exposed directories, and repeated staging on the same provider should raise review priority.
- Separate provider-hosted VPS abuse from compromised access-network endpoints when possible. Large telecom concentrations may require customer-edge compromise handling rather than provider takedown assumptions.
- Build internal watchlists for providers and ASNs that repeatedly appear in confirmed incidents, but avoid blanket blocking when they also carry legitimate customer traffic.
Hunting
- Pivot from known C2 IPs to neighboring infrastructure only with context: same ASN, same org, same certificate patterns, same uncommon ports, same HTTP titles, same panel fingerprints, same SSH keys, same directory layouts, or same malware-family telemetry.
- Hunt for outbound connections to high-recurrence providers after initial access, especially from servers, developer workstations, CI runners, identity systems, EDR management planes, and backup infrastructure.
- Correlate provider-level egress with remote-management tools and offensive frameworks such as Tactical RMM, Sliver, Cobalt Strike, AsyncRAT, Gophish, Keitaro, Mirai-family botnets, Mozi, and Hajime.
- Treat malicious open directories in recurring-provider space as staging opportunities: collect safely, avoid redistributing victim data, and preserve timestamps, filenames, server headers, and directory structure for incident correlation.
Response and policy
- Use provider-level evidence to drive targeted takedown requests and abuse escalation, but include concrete indicators, timestamps, ports, URLs, and malware-family context.
- Tune allowlists for business-critical cloud and telecommunications providers with more granular controls, such as SNI, destination port, process lineage, JA3/JA4, HTTP title, or workload identity.
- Feed recurring-provider intelligence into third-party risk reviews, especially for SaaS, hosting, telecom, and managed-service dependencies that have access to sensitive environments.
- Avoid publishing raw victim-specific infrastructure lists when they may expose compromised customers. Prefer aggregated patterns, provider-level counts, and defensive pivots unless the source intentionally publishes indicators.
Source caveats
- Hunt.io's dataset is telemetry-derived and scoped to its observation methods, product labeling, and February-May 2026 window; do not treat the counts as a complete census of all regional malicious infrastructure.
- Provider concentration does not by itself prove provider complicity. Large telecommunications networks can appear because many customer endpoints are compromised or reachable.
- Malware-family names in infrastructure telemetry can reflect scanners, panels, signatures, or overlaps; confirm with payload, network, and host evidence before making actor-level claims.
Related pages
- Hunt.io global smishing infrastructure campaign
- PCPJack cloud SMTP relay network
- JDY SOHO / IoT reconnaissance botnet
- Oman government Iranian-nexus webshell C2
- Operation Highland Velvet Ant authentication-stack backdoors
Sources
- Hunt.io: https://hunt.io/blog/eastern-europe-malicious-infrastructure-report
- Hunt.io: https://hunt.io/blog/middle-east-malicious-infrastructure-report