Executive Summary

A comprehensive threat intelligence investigation analyzing regional network telemetry from February 1 to May 1, 2026, has revealed systematic exploitation of commercial telecommunications networks, cloud service nodes, and Virtual Private Server (VPS) clusters across fourteen Middle Eastern countries. This operations base consists of 1,357 verified active Command-and-Control (C2) servers distributed across 98 distinct network infrastructure providers.

The underlying data indicates an architectural shift in how Advanced Persistent Threats (APTs) and elite cybercriminal syndicates deploy operational infrastructure. Rather than relying entirely on specialized “bulletproof” networks or isolated “dark” infrastructure, threat actors are aggressively co-opting legitimate, high-volume commercial and state-owned telecommunications networks. Malicious entities leverage the immense customer scale and structural anonymity of these providers to blend C2 data traffic into standard commercial data streams.

A single state-backed telecommunications provider, Saudi Telecom Company (STC), hosts an unprecedented 72.4% of all regional C2 nodes. This represents the densest concentration of malicious command infrastructure observed within a single network provider globally. Traditional security strategies reliant on ephemeral Indicators of Compromise (IOCs),such as individual IP addresses or domain names,are systematically failing because threat actors rotate these identifiers daily while consistently maintaining operations within the same core Autonomous System Numbers (ASNs). This assessment breaks down the technological mechanisms, geographical nodes, attribution vectors, and historical global operational precedents defining this threat ecosystem.

Three Key Takeaways

• Systemic Co-optation of Commercial Telecoms: Advanced Persistent Threats (APTs) and cybercriminal networks are shifting away from traditional “bulletproof” hosting providers. Instead, they are systematically co-opting legitimate, high-volume national telecommunications networks,such as Saudi Telecom Company (STC), which hosts 72.4% of the regional C2 nodes analyzed,to blend malicious command-and-control (C2) traffic directly into normal enterprise and consumer data streams.
• Living off the Cloud via Abused RMM and TDS Tools: Threat actors are heavily leveraging legitimate software tools to bypass Endpoint Detection and Response (EDR) platforms. Open-source tools like Tactical RMM are the leading malware class used to maintain persistence, while commercial Keitaro Traffic Distribution Systems (TDS) are deployed to analyze incoming traffic and dynamically redirect security researchers away from live payloads.
• Active Exploitation of Developer Infrastructure: Vulnerabilities within modern developer toolchains are being actively weaponized to anchor these networks. Recent cases demonstrate actors utilizing compromised infrastructure to systematically target remote code execution flaws like CVE-2025-11953 (Metro4Shell) in React Native development environments, turning local developer systems into staging grounds for deeper enterprise intrusions.

Infrastructure Architecture & Nodes: Breakdown by Country and Provider

The geopolitical landscape of Middle Eastern infrastructure is highly centralized, with a small number of Tier-1 and Tier-2 telecommunications providers accounting for a vast percentage of regional web traffic. The threat data reflects this distribution, revealing that a handful of national operators act as the principal backbone for global adversary control networks.

Kingdom of Saudi Arabia (KSA)

• Total Identified C2 Nodes: ~985+
• Regional Percentage: ~72.6%
• Primary Infrastructure Providers Impacted: Saudi Telecom Company (STC), Mobily (Etisalat-affiliated).
• Analysis: STC explicitly accounts for 981 unique C2 servers (72.4% of the global dataset). Technical assessment confirms this massive concentration is not driven by an internal systemic compromise of STC’s core routers or central switches. Instead, threat actors exploit the vast footprint of STC’s enterprise, consumer, and cloud customer base. Compromised corporate networks, unpatched regional endpoints, and poorly secured localized cloud instances are repurposed into persistent C2 staging environments. On the separate Mobily network, advanced exploitation activity was observed utilizing newly weaponized vulnerabilities to establish secondary footholds.

United Arab Emirates (UAE)

• Total Identified C2 Nodes: ~115
• Regional Percentage: ~8.5%
• Primary Infrastructure Providers Impacted: SERVERS TECH FZCO.
• Analysis: Unlike the pattern in Saudi Arabia,where a primary telecom provider’s customer footprint is abused,the UAE’s footprint centers heavily on SERVERS TECH FZCO, a specialized Free Zone Company hosting provider. This network was found to host 111 active C2 servers. Analysts observed high-density clusters of malicious open directories alongside these C2 endpoints, signifying that this environment is actively being used as a hybrid infrastructure base: serving both as a command center and a staging repository for malware payload distribution.

State of Israel

• Total Identified C2 Nodes: 62
• Regional Percentage: 4.6%
• Primary Infrastructure Providers Impacted: O.M.C. Computers & Communications Ltd (OMC).
• Analysis: OMC is a prominent Israeli commercial telecommunications and web hosting company. Over the 90-day tracking window, it maintained 62 active C2 nodes. Crucially, the infrastructure profile within OMC lacked broader malicious indicators such as open directories, scanning telemetry, or active phishing sites. This specific signature indicates isolated infrastructure abuse, meaning adversaries are deliberately acquiring or compromising precise VPS allocations inside Israel to act as covert data collection points for targeted operations.

Republic of Turkey

• Total Identified C2 Nodes: 44
• Regional Percentage: 3.2%
• Primary Infrastructure Providers Impacted: Türk Telekom.
• Analysis: Türk Telekom exhibits the highest malware diversity ratio in the entire regional dataset, supporting six distinct malware families across just nine primary IP subnets. In addition to 44 distinct C2 endpoints, researchers discovered six active malicious open directories. The co-location of command servers and exposed file directories implies that compromised Turkish telecommunications infrastructure is being dual-utilized as operational control centers and frontline staging platforms for multi-stage network intrusions.

Republic of Iraq

• Total Identified C2 Nodes: 38
• Regional Percentage: 2.8%
• Primary Infrastructure Providers Impacted: Regxa Company for Information Technology Ltd.
• Analysis: Regxa Company, a prominent Iraqi IT solutions provider, exhibits an extremely high concentration of malicious activity relative to its total network size. Critically, threat intelligence evaluation assigned Regxa the highest “bulletproof hosting” risk rating in the dataset. This assessment is based on the provider’s persistent failure to respond to international abuse notifications, slow takedown compliance, and repeated reuse of its IP space by known threat actors.

Islamic Republic of Iran

• Total Identified C2 Nodes: ~25+
• Regional Percentage: ~1.8%
• Primary Infrastructure Providers Impacted: AbrArvan CDN (ArvanCloud).
• Analysis: Iranian infrastructure, primarily utilizing the domestic Content Delivery Network (CDN) provider AbrArvan, was heavily leveraged to mask high-volume botnet scanning and command distribution. Adversaries route traffic through local CDN nodes to bypass geographic filtering and shield the true source origin of their operations.

Arab Republic of Egypt & Syrian Arab Republic

• Total Identified C2 Nodes: ~20
• Regional Percentage: ~1.5%
• Primary Infrastructure Providers Impacted: TE Data (Telecom Egypt), Syrian Telecom.
• Analysis: While smaller in absolute numbers, these networks host high-impact, destructive campaigns. Syrian Telecom hosted hybrid criminal-state infrastructure used to launch multi-stage ransomware and financial extraction operations, while TE Data infrastructure was co-opted to execute highly targeted cloud intrusion campaigns.

Technology Stack & Adversary Tradecraft

The 1,357 C2 nodes identified are not monolithic; they reflect an overlapping mix of legitimate system administration tools, commercial post-exploitation frameworks, commodity crimeware, and bespoke state-sponsored malware families.

Abused Remote Monitoring and Management (RMM) Tooling

Adversaries are heavily favoring “Living off the Cloud” and “Living off Legitimate Software” techniques. Tactical RMM represents the single largest malware class found across Middle Eastern networks, with 92 unique, verified C2 IP addresses.

• Operational Utility: Tactical RMM is a legitimate, open-source remote management tool designed for system administrators. By deploying Tactical RMM agents on victim endpoints, adversaries completely bypass classic Endpoint Detection and Response (EDR) signature rules.
• Traffic Signature: Because the software functions identically to a standard enterprise management solution, its continuous outbound telemetry to Middle Eastern telecom IPs mimics standard administrative tasks. Adversaries use it to execute arbitrary shell commands, manage files, and maintain persistence across enterprise networks.

Traffic Distribution Systems (TDS)

Keitaro TDS emerged as a critical structural component across the infrastructure, accounting for 71 unique C2 IPs.

• Operational Utility: Keitaro is a highly sophisticated commercial tracking tool abused by threat actors to build automated redirection chains.
• Evasion Mechanics: When an endpoint connects to a Keitaro instance hosted on an STC or Türk Telekom IP, the TDS evaluates incoming metadata (IP source, User-Agent string, language settings). If the connection is identified as an automated security sandbox, antivirus crawler, or security researcher, Keitaro transparently redirects the connection to a benign, legitimate website. Conversely, if the criteria match a targeted victim profile, the connection is routed directly to the real malware delivery vector or phishing landing page.

Advanced Post-Exploitation Frameworks

Commercial penetration testing and adversary simulation tools,specifically Cobalt Strike (Beacon) and Sliver,were thoroughly mapped across the infrastructure. These frameworks are heavily utilized by both ransomware operators and state-linked cyber espionage groups. Adversaries customize the malleable Command and Control (Malleable C2) profiles of these frameworks to blend seamlessly into standard HTTP/S web traffic traversing regional telecommunications backbones.

Vulnerability Exploitation & Advanced Payload Delivery Case Studies

Case Study A: CVE-2025-11953 (Metro4Shell) on Mobily Infrastructure

Threat actors utilized the Saudi Mobily telecom network to exploit a critical remote code execution (RCE) vulnerability tracked as CVE-2025-11953 (Metro4Shell). This security flaw resides within the React Native Community CLI Metro development server, carrying a CVSS score of 9.8.

• Exploitation Mechanism: The vulnerability affects the @react-native-community/cli-server-api component. The Metro development server binds to external network interfaces by default. The attacker sends an unauthenticated HTTP POST request to the exposed /open-url endpoint containing shell metacharacters, triggering an OS command injection flaw (CWE-78).
• Payload Execution: The attack pattern observed on the Mobily network involved a multi-stage, Base64-encoded PowerShell script delivered via cmd.exe.
• Defensive Evasion: The initial PowerShell payload executes system commands that explicitly insert Microsoft Defender exclusion paths for the current working directory and the system’s temporary directory ($env:TEMP). This blocks the localized security engine from analyzing subsequent files.
• Binary Deployment: The script opens a raw TCP socket connection to a C2 server, issuing an HTTP GET request to download an obfuscated binary. The downloaded file is compressed using the UPX packer to distort its static hash. Once unpacked in memory, the payload acts as a highly specialized, Rust-based remote access agent equipped with runtime anti-analysis and anti-virtualization checks.

Case Study B: The “Eagle Werewolf” Cluster on Regxa Infrastructure

The highly resilient Iraqi provider Regxa Company was identified as the operational base for an espionage cluster designated as Eagle Werewolf.

• Malware Toolkit: The group utilizes a proprietary software suite consisting of C#, Go, and Rust droppers alongside a custom SSH tunneling utility named Go2Tunnel and their signature backend implant, AquilaRAT.
• Ingress Lures: The group constructs highly localized phishing lures themed around regional military and logistical issues, specifically distributing malicious installers disguised as “Starlink satellite registration portals” and “Unmanned Aerial Vehicle (UAV/Drone) operator training guides.”
• Execution Flow: The installers dropped the EchoGather RAT (a specialized C# payload). Upon execution, EchoGather derives a static cryptographic key from a SHA-256 checksum of a hardcoded string (OV3Rc0nF1DeNCEisAk1ll3r) to decode its core runtime configuration. It then establishes an encrypted HTTPS POST tunnel back to the Regxa infrastructure provider to exfiltrate system parameters, network interfaces, and running process IDs.

Case Study C: The Phorpiex (Twizt) Ransomware Pipeline on Syrian Telecom

Operating out of the 94.252.245[.]193 network node anchored within Syrian Telecom infrastructure, actors managed a high-volume automated distribution pipeline for the Phorpiex (Twizt) botnet.

• Payload Aggregation: This C2 node concurrently managed two distinct revenue-generation engines. First, it controlled wide-scale deployment of XMRig cryptominers, hijacking victim CPU resources to mine Monero cryptocurrency. Second, it acted as the secondary staging and decryption-key management hub for LockBit Black (LockBit 3.0) ransomware variants, targeting high-value enterprise structures across the Levant.

Case Study D: The RondoDox Botnet on Iranian Cloud Infrastructure

Utilizing the infrastructure of the Iranian cloud provider AbrArvan CDN, the RondoDox botnet conducted wide-scale internet scanning and exploit operations.

• Operational Scale: The infrastructure recorded up to 15,000 automated daily exploit attempts. The botnet systematically targets a library of 174 distinct vulnerabilities across internet-facing Internet of Things (IoT) devices, network-attached storage (NAS) units, and small office/home office (SOHO) routers. It incorporates modified architectural source code from the Mirai, Hajime, and Mozi botnet strains to rapidly construct large-scale proxy overlay networks.

Attribution Analysis & Threat Actors

Attribution of an infrastructure network encompassing over 1,350 C2 endpoints points to a multi-tenant environment utilized by a diverse collection of threat actors. Rather than a single entity owning the entire footprint, evidence indicates a layered threat landscape divided into three core user tiers.

Advanced Cybercriminal Syndicates (Estimated 55% Operational Control)

The widespread integration of Traffic Distribution Systems (Keitaro), automated IoT scanning botnets (RondoDox), and standard remote administrative tools (Tactical RMM) indicates heavily monetized cybercrime groups dominate the general infrastructure landscape. These syndicates utilize Middle Eastern hosting and telecoms due to lower operational costs, high network bandwidth, and the ability to easily purchase virtual servers using digital assets or compromised financial instruments without meeting strict Know-Your-Customer (KYC) compliance checks.

State-Sponsored Espionage Operations (Estimated 35% Operational Control)

The direct integration of specialized implants like AquilaRAT and EchoGather, combined with targeted exploits against developer platforms (Metro4Shell), establishes clear state-intelligence usage. Based on geographic focus, geopolitical context, and target profiles, the following intelligence services or aligned threat clusters are highly likely sourcing and maintaining these networks:

• Russian Federation (GRU / SVR Aligned Entities): Clusters such as the “Werewolf” ecosystem (Paper Werewolf, Versatile Werewolf, Eagle Werewolf) have long-standing tactical ties to Russian state espionage interests. These entities consistently structure operations targeting law enforcement, defense networks, and critical energy sectors within the EU and neighboring sovereign states. The utilization of Iraqi (Regxa) and Turkish infrastructure allows these actors to maintain non-attributable intermediate proxy hops that hide the true geolocation of command facilities based inside western Russian military networks.
• Islamic Republic of Iran (MOIS / IRGC Aligned APTs): Threat groups such as APT34 (OilRig), APT35 (Charming Kitten), and APT42 heavily utilize local and adjacent Middle Eastern telecommunications infrastructure. The presence of significant C2 nodes within AbrArvan CDN and networks neighboring Saudi Arabia aligns with Iranian state collection goals, which focus on monitoring domestic targets, regional geopolitical competitors, and western critical infrastructure.
• The People’s Republic of China (MSS Aligned Contractors): Advanced persistent threats originating from China frequently leverage regional telecommunications networks (specifically high-capacity lines within STC and Mobily) to set up Operational Relay Boxes (ORBs). By routing targeted enterprise espionage traffic through trusted regional telecom IPs, Chinese operators successfully mask their intrusions as standard regional corporate data flows.

Independent Ransomware Affiliates & Initial Access Brokers (Estimated 10% Operational Control)

Initial Access Brokers (IABs) use automated vulnerability scanning arrays across these networks to identify unpatched corporate networks globally. Once access is secured, it is brokered to ransomware affiliates (such as LockBit Black operators) who leverage the high-bandwidth Middle Eastern VPS nodes to rapidly exfiltrate corporate databases before launching destructive encryption cycles.

Global Tactical Correlates: Comparable Exploitation Networks

The exploitation of regional telecommunications carriers and localized hosting nodes observed in the Middle East matches similar operational blueprints discovered across other major continental hubs. Threat actors consistently reproduce this infrastructure model where large commercial networks intersect with variable regulatory oversight.

The Russian Federation Infrastructure Fabric

A parallel threat investigation covering the exact same operational timeframe mapped 1,250 active C2 servers distributed across 165 Russian infrastructure providers.

• Structural Similarities: Much like the Middle Eastern ecosystem, the Russian malicious footprint is highly concentrated among a tight cluster of large commercial providers: TimeWeb, WebHost1, REG.RU, VDSina, and PROSPERO OOO.
• Operational Deviance: While Middle Eastern infrastructure is almost exclusively dedicated to pure backend C2 routing (93% of all artifacts), Russian infrastructure exhibits a much higher rate of active reconnaissance and aggressive inbound operations. For example, REG.RU concurrently hosts mass automated port-scanning frameworks, active credential-harvesting phishing nodes, and multi-protocol C2 handlers within the same ASN blocks. This indicates Russian infrastructure functions as an offensive frontline launchpad, whereas Middle Eastern networks serve primarily as a strategic relay and aggregation layer.

Southeast Asian Telecommunications Co-optation (The ASEAN Hub)

In separate investigations tracking state-sponsored threats in the Asia-Pacific region, actors systematically compromised regional telecommunications networks in countries like Malaysia, Indonesia, and the Philippines.

• The Pivot Model: Similar to the abuse of Saudi Telecom Company (STC), adversaries leveraged the internal corporate networks of major Southeast Asian telecom providers to host C2 nodes targeting government ministries. By positioning C2 servers inside the internal IP space of a nation’s primary telecom provider, the adversary ensures that outbound communication from a compromised government endpoint never flags as suspicious, as it remains entirely within the host nation’s primary domestic networks.

African Corporate Core Network Abuse

Adversaries have executed similar wide-scale infrastructure acquisitions across major African telecommunications providers, specifically targeting carrier networks within South Africa, Nigeria, and Kenya. Threat actors take advantage of rapid digital infrastructure growth that outpaces the deployment of dedicated security engineering teams. This lets them secure long-term, undetected persistence within enterprise IP ranges, utilizing these clean carrier networks to target European and North American financial sectors.

Strategic Security & Threat Hunting Recommendations

The insights gained from this infrastructure assessment require a definitive shift away from traditional, reactive cyber defense operations.

Transition to Provider-Level and ASN-Level Behavioral Analytics

Chasing individual IP addresses or domains is an ineffective defensive strategy. Organizations must track behavioral telemetry at the Autonomous System Number (ASN) and Hosting Provider level. If a provider like Regxa Company in Iraq or SERVERS TECH FZCO in the UAE demonstrates a high concentration of C2 activity combined with an unresponsive abuse-handling posture, enterprise defense layers must apply higher risk scoring to all inbound traffic originating from those specific ASNs, regardless of the individual IP status.

Strict Monitoring and Verification of Commercial RMM Tools

Given that Tactical RMM and similar administration utilities represent the leading C2 vector across compromised networks, enterprises must enforce strict application controls. Execution of remote management tools must be restricted via strict application whitelisting (e.g., AppLocker or Windows Defender Application Control). Any outbound communication from an enterprise network to a foreign telecommunications provider (such as STC or Türk Telekom) utilizing an RMM protocol must be automatically blocked and flagged for immediate investigation.

Mandatory Hardening of Developer and Build Infrastructure

The active exploitation of CVE-2025-11953 (Metro4Shell) underscores that threat actors view developer workstations and Continuous Integration/Continuous Deployment (CI/CD) runners as prime entry points into target environments.

• Remediation: Organizations must audit all developer environments to ensure the React Native Metro server component is upgraded to @react-native-community/cli-server-api >= 20.0.0.
• Network Segmentation: Metro servers must be explicitly forced to bind exclusively to the local loopback interface (–host 127.0.0.1). Host-based firewall configurations must be deployed to block all external network access to Metro development ports from outside the local machine.

Technical Appendix: High-Value Infrastructure Indicators

The following high-value infrastructure coordinates are extracted from current telemetry and should be integrated into threat hunting systems for log correlation and outbound traffic evaluation: