-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Dear team,
Typically botnets have victims in many countries, though, right? How did they manage to contain their bots to just UAE hosts?
Back in 2008, a variant of the Conficker worm wouldn't infect Ukrainian hosts. It used to look at the victim's IP address and keyboard layout to figure out where you are from. I suppose you can do the reverse to target only UAE users, despite some false positives and negatives.
Such behavior is not uncommon. The botherders will look for user agent strings, language packs, IP-to-CC (country code) mappings, and the like. Some of their customers are discriminating, e.g. "I only want bots in South Korea." The reasons range from spam sourcing to DDoS to gaming mayhem.
There are multiple bots that report their CC as part of their nickname.
Be well, Rabbi Rob. - -- Rabbi Rob Thomas Team Cymru "It is easy to believe in freedom of speech for those with whom we agree." - Leo McKern