Dec 21, 2025Ravie LakshmananMalware / Cyber Espionage
Risk hunters have discerned new exercise related to an Iranian risk actor often called Infy (aka Prince of Persia), almost 5 years after the hacking group was noticed focusing on victims in Sweden, the Netherlands, and Turkey.
“The size of Prince of Persia’s exercise is extra vital than we initially anticipated,” Tomer Bar, vice chairman of safety analysis at SafeBreach, mentioned in a technical breakdown shared with The Hacker Information. “This risk group remains to be energetic, related, and harmful.”
Infy is without doubt one of the oldest superior persistent risk (APT) actors in existence, with proof of early exercise relationship all the way in which again to December 2004, in accordance with a report launched by Palo Alto Networks Unit 42 in Might 2016 that was additionally authored by Bar, together with researcher Simon Conant.
The group has additionally managed to stay elusive, attracting little consideration, not like different Iranian teams resembling Charming Kitten, MuddyWater, and OilRig. Assaults mounted by the group have prominently leveraged two strains of malware: a downloader and sufferer profiler named Foudre that delivers a second-stage implant known as Tonnerre to extract information from high-value machines. It is assessed that Foudre is distributed through phishing emails.
The newest findings from SafeBreach have uncovered a covert marketing campaign that has focused victims throughout Iran, Iraq, Turkey, India, and Canada, in addition to Europe, utilizing up to date variations of Foudre (model 34) and Tonnerre (variations 12-18, 50). The newest model of Tonnerre was detected in September 2025.
The assault chains have additionally witnessed a shift from a macro-laced Microsoft Excel file to embedding an executable inside such paperwork to put in Foudre. Maybe essentially the most notable facet of the risk actor’s modus operandi is using a website technology algorithm (DGA) to make its command-and-control (C2) infrastructure extra resilient.
As well as, Foudre and Tonnerre artifacts are identified to validate if the C2 area is genuine by downloading an RSA signature file, which the malware then decrypts utilizing a public key and compares with a locally-stored validation file.
SafeBreach’s evaluation of the C2 infrastructure has additionally uncovered a listing named “key” that is used for C2 validation, together with different folders to retailer communication logs and the exfiltrated recordsdata.
“Day by day, Foudre downloads a devoted signature file encrypted with an RSA non-public key by the risk actor after which makes use of RSA verification with an embedded public key to confirm that this area is an authorised area,” Bar mentioned. “The request’s format is:
‘
Additionally current within the C2 server is a “obtain” listing whose present objective is unknown. It’s suspected that it is used to obtain and improve to a brand new model.
The newest model of Tonnerre, then again, features a mechanism to contact a Telegram group (named “سرافراز,” that means “proudly” in Persian) by means of the C2 server. The group has two members: a Telegram bot “@ttestro1bot” that is seemingly used to difficulty instructions and gather information, and a person with the deal with “@ehsan8999100.”
Whereas using the messaging app for C2 is just not unusual, what’s notable is that the details about the Telegram group is saved in a file named “tga.adr” inside a listing known as “t” within the C2 server. It is value noting that the obtain of the “tga.adr” file can solely be triggered for a selected record of sufferer GUIDs.
Additionally found by the cybersecurity firm are different older variants utilized in Foudre campaigns between 2017 and 2020 –
A model of Foudre camouflaged as Amaq Information Finder to obtain and execute the malware
A brand new model of a trojan known as MaxPinner that is downloaded by Foudre model 24 DLL to spy on Telegram content material
A variation of malware known as Deep Freeze, just like Amaq Information Finder, is used to contaminate victims with Foudre
An unknown malware known as Rugissement
“Regardless of the looks of getting gone darkish in 2022, Prince of Persia risk actors have accomplished fairly the alternative,” SafeBreach mentioned. “Our ongoing analysis marketing campaign into this prolific and elusive group has highlighted crucial particulars about their actions, C2 servers, and recognized malware variants within the final three years.”
The disclosure comes as DomainTools’ continued evaluation of Charming Kitten leaks has painted the image of a hacking group that capabilities extra like a authorities division, whereas working “espionage operations with clerical precision.” The risk actor has additionally been unmasked as behind the Moses Workers persona.
“APT 35, the identical administrative machine that runs Tehran’s long-term credential-phishing operations, additionally ran the logistics that powered Moses Workers’s ransomware theatre,” the corporate mentioned.
“The supposed hacktivists and the federal government cyber-unit share not solely tooling and targets but additionally the identical accounts-payable system. The propaganda arm and the espionage arm are two merchandise of a single workflow: completely different “initiatives” underneath the identical inside ticketing regime.”
