HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

One Telecom Provider (STC) Hosts Over 70% of Middle‑East Malware C2 Infrastructure

Hunt.io mapped more than 1,350 active C2 servers across the Middle East and found Saudi Telecom Company (STC) responsible for over 72 % of the traffic. The concentration of malicious infrastructure on a single carrier creates a significant supply‑chain risk for organizations that rely on its network services.

LiveThreat™ Intelligence · 📅 May 22, 2026· 📰 securityaffairs.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
3 recommended
📰
Source
securityaffairs.com

One Telecom Provider (STC) Hosts Over 70% of Middle‑East Malware C2 Infrastructure

What Happened – Hunt.io identified 1,350+ active command‑and‑control (C2) servers across the Middle East. A single telecom carrier, Saudi Telecom Company (STC), was responsible for more than 72 % of that traffic, most of it residing on compromised customer systems.

Why It Matters for TPRM

  • Concentrated malicious C2 traffic on a single provider amplifies third‑party risk for any organization that relies on that carrier for connectivity or hosting.
  • Attackers exploit the provider’s infrastructure to hide payload delivery, making detection harder for downstream customers.
  • Provider‑level patterns evolve slower than domain/IP indicators, offering a strategic “early‑warning” surface for risk teams.

Who Is Affected – Telecommunications, cloud‑hosting, SaaS, and any enterprise that routes traffic through STC or the other 97 identified providers in the region.

Recommended Actions

  • Review contracts and service‑level agreements with STC and any regional telecom partners for security clauses and breach‑notification obligations.
  • Validate that traffic filtering, DNS‑sinkholing, and outbound C2 detection controls are in place for connections traversing these networks.
  • Incorporate provider‑level threat‑intel feeds into your TPRM monitoring platform to flag anomalous C2 activity.

Technical Notes – The C2 ecosystem spans commodity tools (Cobalt Strike, Mirai, Sliver), RATs (AsyncRAT, EchoGather, SoullessRAT, AquilaRAT), and “bullet‑proof” hosting services (Regxa). Attackers leverage compromised customer devices, rotating domains, and Telegram/phishing lures to maintain persistence. Source: SecurityAffairs – One Telecom Provider Hosted Most of the Middle East’s Active C2 Infrastructure

📰 Original Source
https://securityaffairs.com/192518/hacking/one-telecom-provider-hosted-most-of-the-middle-east-s-active-c2-infrastructure.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

This is the scenario continuous vendor monitoring is built to catch.

When a vendor is compromised, your SOC 2 vendor-management controls are what produce the audit trail showing you knew, assessed, and acted. The Verisq AI Trust Operations platform tracks that continuously.

Explore the Verisq AI Trust Operations platform →