One Telecom Provider (STC) Hosts Over 70% of Middle‑East Malware C2 Infrastructure
What Happened – Hunt.io identified 1,350+ active command‑and‑control (C2) servers across the Middle East. A single telecom carrier, Saudi Telecom Company (STC), was responsible for more than 72 % of that traffic, most of it residing on compromised customer systems.
Why It Matters for TPRM –
- Concentrated malicious C2 traffic on a single provider amplifies third‑party risk for any organization that relies on that carrier for connectivity or hosting.
- Attackers exploit the provider’s infrastructure to hide payload delivery, making detection harder for downstream customers.
- Provider‑level patterns evolve slower than domain/IP indicators, offering a strategic “early‑warning” surface for risk teams.
Who Is Affected – Telecommunications, cloud‑hosting, SaaS, and any enterprise that routes traffic through STC or the other 97 identified providers in the region.
Recommended Actions –
- Review contracts and service‑level agreements with STC and any regional telecom partners for security clauses and breach‑notification obligations.
- Validate that traffic filtering, DNS‑sinkholing, and outbound C2 detection controls are in place for connections traversing these networks.
- Incorporate provider‑level threat‑intel feeds into your TPRM monitoring platform to flag anomalous C2 activity.
Technical Notes – The C2 ecosystem spans commodity tools (Cobalt Strike, Mirai, Sliver), RATs (AsyncRAT, EchoGather, SoullessRAT, AquilaRAT), and “bullet‑proof” hosting services (Regxa). Attackers leverage compromised customer devices, rotating domains, and Telegram/phishing lures to maintain persistence. Source: SecurityAffairs – One Telecom Provider Hosted Most of the Middle East’s Active C2 Infrastructure