Middle East Malicious Infrastructure Report: 1,350+ C2 Servers Mapped Across 98 Providers
May 22, 2026, 7:13 a.m.
Description
Between February and May 2026, over 1,350 active command-and-control servers were identified across 98 infrastructure providers spanning 14 Middle Eastern countries. Saudi Arabia's STC hosted 981 C2 servers, representing 72.4% of all regional malicious infrastructure, the largest concentration globally. C2 infrastructure dominated at 96.8% of detected activity, with IoT-focused botnets like Hajime, Mozi, and Mirai, alongside offensive frameworks including Tactical RMM, Cobalt Strike, and Sliver representing the primary malware families. The infrastructure supported diverse operations from state-sponsored espionage campaigns like Eagle Werewolf targeting state entities, to Malware-as-a-Service platforms, cryptomining operations, and destructive attacks such as DYNOWIPER. Key providers included SERVERS TECH FZCO in UAE, OMC in Israel, Türk Telekom, and Regxa in Iraq, demonstrating how telecommunications giants and specialized hosting services enable both commodity cybercrime and advanced persistent threat op...
Tags
Date
- Created: May 21, 2026, 11:03 p.m.
- Published: May 21, 2026, 11:03 p.m.
- Modified: May 22, 2026, 7:13 a.m.
Indicators
- 197.51.170.131
- 5.109.182.231
- 94.252.245.193
- 37.32.15.8
- 93.113.62.247
Attack Patterns
- Phorpiex
- EchoGather
- Mirai
- Hajime
- Tactical RMM
- Keitaro
- DynoWiper
- RondoDox
- AquilaRAT
- HellsUchecker
- Phexia
- Sliver
- Acunetix
- NetSupport RAT
- Gophish
- Cobalt Strike - S0154
- AsyncRAT
- Mozi
- Prism X
- Twizt
- SoullessRAT
- LockBit Black
- Termite
- XMRig
- Eagle Werewolf, ENERGETIC BEAR, Velvet Tempest, APT28, GrayCharlie
Additional Informations
- Energy
- Government