Menace hunters have discerned new exercise related to an Iranian menace actor generally known as Infy (aka Prince of Persia), practically 5 years after the hacking group was noticed concentrating on victims in Sweden, the Netherlands, and Turkey.
“The dimensions of Prince of Persia’s exercise is extra vital than we initially anticipated,” Tomer Bar, vice chairman of safety analysis at SafeBreach, mentioned in a technical breakdown shared with The Hacker Information. “This menace group remains to be energetic, related, and harmful.”
Infy is without doubt one of the oldest superior persistent menace (APT) actors in existence, with proof of early exercise relationship all the way in which again to December 2004, in keeping with a report launched by Palo Alto Networks Unit 42 in Could 2016 that was additionally authored by Bar, together with researcher Simon Conant.
The group has additionally managed to stay elusive, attracting little consideration, in contrast to different Iranian teams resembling Charming Kitten, MuddyWater, and OilRig. Assaults mounted by the group have prominently leveraged two strains of malware: a downloader and sufferer profiler named Foudre that delivers a second-stage implant referred to as Tonnerre to extract information from high-value machines. It is assessed that Foudre is distributed through phishing emails.
The newest findings from SafeBreach have uncovered a covert marketing campaign that has focused victims throughout Iran, Iraq, Turkey, India, and Canada, in addition to Europe, utilizing up to date variations of Foudre (model 34) and Tonnerre (variations 12-18, 50). The newest model of Tonnerre was detected in September 2025.
The assault chains have additionally witnessed a shift from a macro-laced Microsoft Excel file to embedding an executable inside such paperwork to put in Foudre. Maybe essentially the most notable side of the menace actor’s modus operandi is the usage of a website era algorithm (DGA) to make its command-and-control (C2) infrastructure extra resilient.
As well as, Foudre and Tonnerre artifacts are recognized to validate if the C2 area is genuine by downloading an RSA signature file, which the malware then decrypts utilizing a public key and compares with a locally-stored validation file.
SafeBreach’s evaluation of the C2 infrastructure has additionally uncovered a listing named “key” that is used for C2 validation, together with different folders to retailer communication logs and the exfiltrated recordsdata.
“Day-after-day, Foudre downloads a devoted signature file encrypted with an RSA non-public key by the menace actor after which makes use of RSA verification with an embedded public key to confirm that this area is an accredited area,” Bar mentioned. “The request’s format is:
‘https://
Additionally current within the C2 server is a “obtain” listing whose present function is unknown. It’s suspected that it is used to obtain and improve to a brand new model.
The newest model of Tonnerre, however, features a mechanism to contact a Telegram group (named “سرافراز,” which means “proudly” in Persian) by the C2 server. The group has two members: a Telegram bot “@ttestro1bot” that is probably used to problem instructions and gather information, and a person with the deal with “@ehsan8999100.”
Whereas the usage of the messaging app for C2 is just not unusual, what’s notable is that the details about the Telegram group is saved in a file named “tga.adr” inside a listing referred to as “t” within the C2 server. It is price noting that the obtain of the “tga.adr” file can solely be triggered for a selected record of sufferer GUIDs.
Additionally found by the cybersecurity firm are different older variants utilized in Foudre campaigns between 2017 and 2020 –
- A model of Foudre camouflaged as Amaq Information Finder to obtain and execute the malware
- A brand new model of a trojan referred to as MaxPinner that is downloaded by Foudre model 24 DLL to spy on Telegram content material
- A variation of malware referred to as Deep Freeze, much like Amaq Information Finder, is used to contaminate victims with Foudre
- An unknown malware referred to as Rugissement
“Regardless of the looks of getting gone darkish in 2022, Prince of Persia menace actors have accomplished fairly the other,” SafeBreach mentioned. “Our ongoing analysis marketing campaign into this prolific and elusive group has highlighted vital particulars about their actions, C2 servers, and recognized malware variants within the final three years.”
The disclosure comes as DomainTools’ continued evaluation of Charming Kitten leaks has painted the image of a hacking group that capabilities extra like a authorities division, whereas working “espionage operations with clerical precision.” The menace actor has additionally been unmasked as behind the Moses Employees persona.
“APT 35, the identical administrative machine that runs Tehran’s long-term credential-phishing operations, additionally ran the logistics that powered Moses Employees’s ransomware theatre,” the corporate mentioned.
“The supposed hacktivists and the federal government cyber-unit share not solely tooling and targets but in addition the identical accounts-payable system. The propaganda arm and the espionage arm are two merchandise of a single workflow: completely different “initiatives” below the identical inside ticketing regime.”
