A recent report by Hunt.io reveals that the Saudi Telecom Company (STC) hosts the majority of command-and-control (C2) servers in the Middle East, accounting for over 72% of the regional activity. The study identified more than 1,350 C2 servers across 98 providers in 14 countries.
The report emphasizes the importance of focusing on hosting infrastructure over traditional indicators like malware families, noting that compromised customer systems rather than intentionally malicious hosting contribute significantly to the C2 activity. Key findings include the diversity of malware hosted by different providers, such as Türk Telekom and Regxa from Iraq, which is linked to espionage operations.
The concentration of malicious infrastructure makes it challenging for defenders to block attacks effectively, as the hosting environments are often legitimate commercial networks. Overall, the infrastructure patterns indicate longer-lasting threats, enabling attackers to reuse providers and operational habits even as malware changes.