Malicious infrastructure provider concentration

Summary

Hunt.io's May 2026 Middle East infrastructure report is a useful reminder that defender value is often at the hosting-provider and ASN layer, not only at the individual indicator layer. Across a February 1-May 1, 2026 observation window, Hunt.io reported more than 1,350 active C2 servers across 98 Middle East infrastructure providers in 14 countries, with C2 activity heavily concentrated in a small number of telecommunications and hosting networks.

Treat this as a reusable pattern: attackers rotate domains, IPs, payloads, and disposable panels quickly, but the providers, ASNs, abuse-response gaps, payment models, and compromised access networks they return to can remain stable enough to drive exposure review, risk scoring, and threat hunting.

Tags

• patterns
• infrastructure
• C2
• command and control
• hosting providers
• ASNs
• telecommunications
• abuse response
• Middle East
• Hunt.io
• Host Radar
• Tactical RMM
• Keitaro
• Mozi
• Hajime
• Mirai
• Sliver
• Cobalt Strike
• incident response

Why this matters

• Disposable IOCs are still useful for blocking and triage, but they age quickly; provider-level concentration can show where multiple unrelated operations keep reappearing.
• Concentrated abuse can come from different causes: compromised customer endpoints, permissive VPS hosting, slow abuse handling, weak customer screening, cryptocurrency payment support, or regional connectivity that actors find useful.
• A single provider can host very different activity classes at once, including botnet C2, offensive-security frameworks, phishing, exposed staging directories, MaaS panels, cryptomining, and state-aligned intrusion infrastructure.
• Provider-level context helps defenders prioritize enrichment, egress review, ASN risk scoring, third-party allowlists, and incident scoping without publishing or depending on a static list of quickly rotating IP addresses.

Hunt.io Middle East case study

Hunt.io analyzed telemetry across providers in the UAE, Saudi Arabia, Turkey, Israel, Iraq, Iran, Cyprus, Egypt, Kuwait, Lebanon, Palestine, Jordan, Bahrain, and Syria.

Key reported observations:

• Hunt.io identified more than 1,350 C2 servers across 98 providers during the three-month window.
• The broader dataset contained 1,459 malicious artifacts, including 1,357 C2 servers, 45 malicious open directories, 7 phishing sites, 7 public IOCs, and 43 IOC Hunter posts.
• C2 activity dominated the dataset; Hunt.io described C2 infrastructure as roughly 93% of observed artifacts in the detailed dataset and used a higher ~96.8% figure in its key-observation framing.
• STC / Saudi Telecom Company accounted for 981 detected C2 servers, about 72.4% of the regional C2 dataset. Hunt.io caveats that this likely reflects abuse of a large telecommunications network and customer base rather than provider-hosted infrastructure alone.
• Other top C2 concentrations included SERVERS TECH FZCO in the UAE with 111 C2 detections, O.M.C. Computers & Communications in Israel with 62, Türk Telekom with 44, and Regxa Company for Information Technology in Iraq with 38.
• Malware-family clustering included Tactical RMM with 92 unique C2 IPs, Keitaro with 71, Acunetix with 38, Gophish with 31, Mozi with 24, Hajime with 22, Prism X with 13, AsyncRAT with 12, Sliver with 10, Cobalt Strike with 8, and Mirai with 8.

Hunt.io also highlighted operational examples mapped into regional infrastructure, including Phorpiex / Twizt botnet C2, Eagle Werewolf-linked espionage infrastructure on Iraqi hosting, Cloud Storage-themed phishing on Turkish hosting, Metro4Shell exploitation activity sourced from Saudi infrastructure, RondoDox botnet exploitation infrastructure in Iran, AI-compressed AWS intrusion activity sourced from Egyptian ISP space, ClickFix chains, FakeGit loader infrastructure, GrayCharlie / NetSupport RAT redirects, and MaaS customer panels.

Defender heuristics

Enrichment and prioritization

• Add ASN, organization, hosting-provider, country, payment-model, and abuse-response context to C2, phishing, open-directory, and malware-download indicators.
• Track provider recurrence across incidents: multiple malware families, unrelated campaigns, exposed directories, and repeated staging on the same provider should raise review priority.
• Separate provider-hosted VPS abuse from compromised access-network endpoints when possible. Large telecom concentrations may require customer-edge compromise handling rather than provider takedown assumptions.
• Build internal watchlists for providers and ASNs that repeatedly appear in confirmed incidents, but avoid blanket blocking when they also carry legitimate customer traffic.

Hunting

• Pivot from known C2 IPs to neighboring infrastructure only with context: same ASN, same org, same certificate patterns, same uncommon ports, same HTTP titles, same panel fingerprints, same SSH keys, same directory layouts, or same malware-family telemetry.
• Hunt for outbound connections to high-recurrence providers after initial access, especially from servers, developer workstations, CI runners, identity systems, EDR management planes, and backup infrastructure.
• Correlate provider-level egress with remote-management tools and offensive frameworks such as Tactical RMM, Sliver, Cobalt Strike, AsyncRAT, Gophish, Keitaro, Mirai-family botnets, Mozi, and Hajime.
• Treat malicious open directories in recurring-provider space as staging opportunities: collect safely, avoid redistributing victim data, and preserve timestamps, filenames, server headers, and directory structure for incident correlation.

Response and policy

• Use provider-level evidence to drive targeted takedown requests and abuse escalation, but include concrete indicators, timestamps, ports, URLs, and malware-family context.
• Tune allowlists for business-critical cloud and telecommunications providers with more granular controls, such as SNI, destination port, process lineage, JA3/JA4, HTTP title, or workload identity.
• Feed recurring-provider intelligence into third-party risk reviews, especially for SaaS, hosting, telecom, and managed-service dependencies that have access to sensitive environments.
• Avoid publishing raw victim-specific infrastructure lists when they may expose compromised customers. Prefer aggregated patterns, provider-level counts, and defensive pivots unless the source intentionally publishes indicators.

Source caveats

• Hunt.io's dataset is telemetry-derived and scoped to its observation methods, product labeling, and February-May 2026 window; do not treat the counts as a complete census of all regional malicious infrastructure.
• Provider concentration does not by itself prove provider complicity. Large telecommunications networks can appear because many customer endpoints are compromised or reachable.
• Malware-family names in infrastructure telemetry can reflect scanners, panels, signatures, or overlaps; confirm with payload, network, and host evidence before making actor-level claims.

Related pages

• Hunt.io global smishing infrastructure campaign
• PCPJack cloud SMTP relay network
• JDY SOHO / IoT reconnaissance botnet
• Oman government Iranian-nexus webshell C2
• Operation Highland Velvet Ant authentication-stack backdoors

Sources

• Hunt.io: https://hunt.io/blog/middle-east-malicious-infrastructure-report