The Iranian state-linked threat group known as Infy, also tracked as Prince of Persia, has resumed cyber operations after a temporary pause that coincided with Iran’s nationwide internet shutdown in early January 2026. Researchers say the group reappeared with new command-and-control (C2) servers, reinforcing assessments that Infy operates with state backing.
According to a report released by SafeBreach, the threat actor stopped maintaining its C2 infrastructure on January 8, 2026, marking the first operational halt observed since the company began tracking the group.
“This pause aligned exactly with the country-wide internet blackout imposed by Iranian authorities in response to protests,” said Tomer Bar, Vice President of Security Research at SafeBreach. “It strongly suggests that even government-affiliated cyber units were impacted by the disruption.”
Activity Resumes as Internet Restrictions Ease
SafeBreach observed renewed Infy activity on January 26, 2026, just one day before the Iranian government relaxed internet restrictions. At that time, the group began deploying new C2 servers, replacing infrastructure used by earlier malware variants.
The timing is notable because it provides rare operational evidence linking the group’s activity directly to Iran’s domestic connectivity conditions, further strengthening attribution to Iranian state interests.
A Quiet but Persistent Espionage Actor
Infy is considered one of Iran’s oldest cyber espionage groups, active since at least 2004. Unlike more visible Iranian APTs, Infy has historically avoided attention by conducting highly targeted, low-volume attacks, often focused on individual victims rather than mass campaigns.
The group is believed to support intelligence collection, surveillance, and long-term access operations aligned with Tehran’s strategic objectives.
Updated Malware and New C2 Techniques
In December 2025, SafeBreach documented updated versions of Infy’s malware families Foudre and Tonnerre. Tonnerre version 50, later renamed Tornado, introduced Telegram-based command execution and data exfiltration.
Ongoing monitoring between December 19, 2025, and February 3, 2026, revealed that Infy has now:
- Replaced all C2 infrastructure for Foudre and Tonnerre
- Introduced Tornado version 51, which supports both HTTP-based C2 and Telegram-based control
Bar noted that Tornado v51 uses two distinct methods to generate C2 domains:
- A newly observed domain generation algorithm (DGA)
- Fixed domain names derived using blockchain data de-obfuscation
This dual approach allows attackers to rotate infrastructure without updating the malware itself, increasing resilience and flexibility.
Exploitation of a WinRAR One-Day Flaw
Researchers also found evidence that Infy weaponized a recently disclosed WinRAR one-day vulnerability, likely CVE-2025-8088 or CVE-2025-6218, to deliver Tornado payloads.
Specially crafted RAR archives uploaded to VirusTotal in mid-December 2025 originated from Germany and India, suggesting possible targeting of those regions.
Each archive contains a self-extracting executable with two files:
- AuthFWSnapin.dll, the main Tornado v51 payload
- reg7989.dll, an installer that checks for Avast antivirus, creates a scheduled task for persistence, and launches the Tornado DLL
Once executed, Tornado communicates with its C2 server over HTTP to download additional payloads and collect system information. When Telegram is used, the malware relies on the Telegram Bot API to exfiltrate data and receive commands.
Telegram Infrastructure and Operator Changes
Earlier Tornado versions used a Telegram group named (Sarafraz, meaning proudly), which included the bot @ttestro1bot and a user account @ehsan8999100.
In the latest iteration, researchers observed:
- Replacement of the original user with @Ehsan66442
- Continued restriction preventing the bot from reading group chat messages
Additionally, SafeBreach identified a new Telegram channel named “Test”, created on December 21, 2025, with three subscribers. The channel’s role remains unclear, but researchers suspect it is used for C2 coordination.
Discovery of ZZ Stealer and Supply Chain Links
By extracting messages from Infy’s private Telegram groups, SafeBreach accessed 118 exfiltrated files and 14 encoded command links dating back to February 2025. Analysis revealed two key findings:
- A malicious ZIP archive delivering ZZ Stealer, which loads a customized variant of the StormKitty infostealer
- A strong link between ZZ Stealer and a PyPI supply-chain attack involving a malicious package named testfiwldsd21233s, designed to drop an earlier ZZ Stealer variant and exfiltrate data via Telegram
Researchers also noted a weaker potential connection to Charming Kitten (Educated Manticore), based on overlapping use of ZIP and LNK files and PowerShell loaders.
“ZZ Stealer functions as a first-stage malware similar to Foudre,” SafeBreach explained. “It collects environmental data, screenshots, and desktop files. When it receives the command ‘8==3’, it downloads and executes a second-stage payload using the same identifier.”
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
