Middle East Telecom Networks Under Attack!

May 23, 2026 Faeem BLOGS 0

Overview

A newly released threat intelligence report has uncovered how hackers are abusing telecom networks and hosting providers across the Middle East to run large‑scale command‑and‑control (C2) operations. Trusted infrastructure is being turned into a launchpad for cyberattacks, with more than 1,350 active C2 servers identified across 98 providers in just three months.

Researchers analyzed networks in 14 countries, including Saudi Arabia, the UAE, Turkey, Israel, Iraq, Iran, Egypt, and Syria. Shockingly, C2 infrastructure accounted for 93% of all malicious activity detected in the region.

Key Highlights

  • Saudi Telecom Company (STC) hosts 981 C2 servers, representing 72.4% of all regional C2 infrastructure — the largest concentration globally.
  • Other major telecoms include Türk Telekom, Mobily, and SERVERS TECH FZCO (UAE), each showing significant malicious activity.
  • Regxa Company (Iraq) recorded 38 C2 servers and the highest bulletproof rating, meaning slow response to abuse reports.
  • Detected malware families include Tactical RMM, Keitaro TDS, Phorpiex (Twizt), RondoDox, EchoGather RAT, and DYNOWIPER.
  • Offensive frameworks such as Cobalt Strike, Sliver, and AsyncRAT were also active across the same networks.

Impact

The findings reveal a shared infrastructure between criminal groups and nation‑state actors, blurring the line between espionage and cybercrime.

  • IoT botnets, phishing kits, ransomware delivery systems, and espionage tools are all operating on compromised telecom networks.
  • Phorpiex (Twizt) botnet was found on Syrian Telecom, delivering encrypted payloads and cryptocurrency miners.
  • The Eagle Werewolf cluster used Regxa (Iraq) hosting to deploy remote‑access tools via phishing lures themed around Starlink and drone training.
  • On Mobily (Saudi Arabia), attackers exploited CVE‑2025‑11953 in React Native CLI to disable security tools before downloading malware.
  • Iranian CDN AbrArvan hosted the RondoDox botnet, peaking at 15,000 daily exploit attempts.

Defensive Guidance

Security teams are urged to shift focus from chasing individual indicators to monitoring network‑level patterns and provider‑level infrastructure.

  • Track hosting providers and ASNs used repeatedly by attackers.
  • Correlate C2 infrastructure to anticipate attacker behavior.
  • Implement proactive threat intelligence to detect abuse before escalation.
  • Collaborate with telecom operators to strengthen regional cyber defenses.

Final Thought

The abuse of Middle Eastern telecom networks underscores a critical shift in attacker strategy — exploiting trusted infrastructure instead of obscure servers. As cybercriminals and state actors converge on the same networks, defenders must evolve from reactive detection to infrastructure‑centric threat anticipation.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.