Threat intelligence researchers have identified renewed cyber activity linked to an Iranian advanced persistent threat group known as Infy, also referred to as Prince of Persia, nearly five years after the group was last observed conducting attacks in Sweden, the Netherlands, and Turkey.
Security experts now believe the scope and persistence of Infy’s operations were previously underestimated. According to Tomer Bar, Vice President of Security Research at SafeBreach, the group remains active, operationally capable, and dangerous, contradicting assumptions that it had gone inactive.
Infy is considered one of the oldest known APT groups, with operational evidence dating back to December 2004. A 2016 report by Palo Alto Networks Unit 42, authored by Bar and researcher Simon Conant, first documented the group’s long running espionage campaigns.
Unlike more publicly visible Iranian threat actors such as Charming Kitten, MuddyWater, and OilRig, Infy has largely avoided sustained scrutiny. Its operations have historically relied on two core malware families, Foudre and Tonnerre, primarily delivered through phishing emails. Foudre acts as a downloader and victim profiling tool, while Tonnerre functions as a second stage implant used for data exfiltration from high value systems.
Expanded Campaign and Updated Malware Tooling
Recent findings from SafeBreach reveal a covert campaign affecting victims across Iran, Iraq, Turkey, India, Canada, and multiple European countries. The operation leverages updated variants of Foudre, version 34, alongside several versions of Tonnerre ranging from versions 12 through 18 and version 50. The latest Tonnerre sample was identified in September 2025.
Researchers observed a change in the infection chain, shifting away from macro enabled Microsoft Excel documents to Excel files that embed executables directly to deploy Foudre. A defining feature of Infy’s tradecraft is the use of a domain generation algorithm, which strengthens the resilience of its command and control infrastructure.
Both Foudre and Tonnerre perform strict validation of their command servers by downloading RSA signature files. These signatures are decrypted using an embedded public key and compared against locally stored validation data to ensure the domain is legitimate.
SafeBreach’s analysis of the C2 infrastructure identified a directory named “key,” used for domain validation, alongside other directories responsible for logging communications and storing exfiltrated data. Each day, Foudre retrieves a unique RSA signed file following a specific URL pattern to verify the authenticity of the server.
Investigators also identified a “download” directory on the C2 servers, suspected to be reserved for malware updates or version upgrades, although its exact purpose remains unclear.
Telegram Based C2 and Targeted Activation
The most recent version of Tonnerre includes functionality to interact with a Telegram group named “سرافراز,” meaning “proudly” in Persian. Communication is routed through the C2 server and involves a Telegram bot, @ttestro1bot, believed to issue commands and collect stolen data, as well as a user account identified as @ehsan8999100.
While the use of Telegram for command and control is not unusual among threat actors, SafeBreach highlighted that the configuration data for this channel is stored in a file named “tga.adr,” located within a “t” directory on the C2 server. Access to this file is restricted and can only be triggered for a predefined list of victim GUIDs, indicating selective targeting.
Legacy Malware Variants and Ongoing Research
SafeBreach also uncovered older malware variants used in Infy campaigns between 2017 and 2020. These include a version of Foudre disguised as an application called Amaq News Finder, a trojan named MaxPinner used to spy on Telegram activity, a malware strain known as Deep Freeze that mimics Amaq News Finder, and an unidentified malware referred to as Rugissement.
Despite appearing inactive since 2022, researchers concluded that Prince of Persia never ceased operations. Instead, the group continued refining its infrastructure, malware, and targeting strategies over the past three years.
Broader Iranian Cyber Operations Context
The disclosure coincides with further analysis by DomainTools into leaks associated with Charming Kitten. The research suggests that Iranian cyber operations function with the structure and discipline of a formal government department. DomainTools also attributed the Moses Staff persona to the same operational ecosystem.
According to the firm, APT 35 was responsible not only for long running credential phishing campaigns but also for the logistics behind Moses Staff’s ransomware activities. The findings indicate shared tooling, targets, financial systems, and operational workflows between propaganda and espionage units operating under a unified internal framework.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
