Threat hunters have identified renewed cyber activity linked to the Iranian advanced persistent threat group known as Infy, also referred to as Prince of Persia, marking its most significant resurgence in nearly five years. The findings were disclosed by SafeBreach, which reported that the group has been quietly operating despite limited public visibility since its last known campaigns targeting Sweden, the Netherlands, and Turkey. According to Tomer Bar, vice president of security research at SafeBreach, the scale and continuity of the group’s operations indicate that Infy remains active, capable, and operationally dangerous, contradicting earlier assumptions that the actor had faded from the threat landscape.
Infy is considered one of the longest running APT groups, with activity tracing back to December 2004. Its early history was documented in a 2016 report by Palo Alto Networks Unit 42, co authored by Bar, which outlined the group’s role in long term espionage operations. Unlike more widely known Iranian cyber groups such as Charming Kitten, MuddyWater, and OilRig, Infy has maintained a low profile while continuing to refine its tooling. Historically, the group relied on two primary malware components, a downloader and profiling tool called Foudre and a second stage implant known as Tonnerre, both typically delivered through phishing emails. These tools were designed to identify high value systems and quietly extract sensitive data, allowing the actor to remain undetected for extended periods.
SafeBreach’s latest research uncovered a covert campaign spanning Iran, Iraq, Turkey, India, Canada, and multiple European countries, using updated versions of Foudre and Tonnerre. The newest Tonnerre variant was detected in September 2025, indicating ongoing development and testing. Researchers observed a notable evolution in the infection chain, with the group shifting away from macro enabled Microsoft Excel files to embedding executable payloads directly within documents to deploy Foudre. A defining characteristic of Infy’s operations is its use of a domain generation algorithm, which enhances the resilience of its command and control infrastructure by frequently rotating domains. Both Foudre and Tonnerre further validate their C2 servers by downloading RSA encrypted signature files, decrypting them with an embedded public key, and comparing the results against local validation data to ensure communication is only established with trusted infrastructure.
Analysis of the command and control servers revealed a structured environment containing directories used for validation, communication logs, and exfiltrated data. One directory named key is dedicated to verifying domain legitimacy through daily signature files that follow a predictable naming pattern based on date values. Another directory labeled download is believed to facilitate malware updates or version upgrades, although its exact function remains unclear. The most recent Tonnerre variant also introduced a mechanism to interact with a Telegram group via the C2 server. The group, named سرافراز meaning proudly in Persian, contains a Telegram bot believed to handle commands and data collection, along with a single user account. Details related to this Telegram based control channel are stored in a file called tga.adr, which is selectively delivered only to specific victim identifiers, highlighting a highly controlled and targeted operational approach.
SafeBreach also identified several older malware variants associated with Infy campaigns conducted between 2017 and 2020. These include versions of Foudre disguised as Amaq News Finder, a trojan called MaxPinner used to spy on Telegram content, a Deep Freeze variant employed to install Foudre, and an unidentified malware strain named Rugissement. Researchers noted that despite appearing inactive around 2022, Infy has continued to refine its malware ecosystem and infrastructure with minimal exposure. The disclosure coincides with separate findings from DomainTools that further illustrate how Iranian cyber operations often function with structured workflows resembling formal government departments. Together, these insights reinforce assessments that Prince of Persia remains an active espionage actor with sustained investment in stealth, infrastructure resilience, and long term intelligence collection.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
