Full Report
Threat hunters have discerned new activity associated with an Iranian threat actor known as Infy (aka Prince of Persia), nearly five years after the hacking group was observed targeting victims in Sweden, the Netherlands, and Turkey. "The scale of Prince of Persia's activity is more significant than we originally anticipated," Tomer Bar, vice president of security research at SafeBreach, said
Analysis Summary
# Threat Actor: Infy (Prince of Persia)
## Attribution & Identity
* **Origin:** Iranian threat actor (APT).
* **Known Aliases:** Prince of Persia.
* **Associations:** Not explicitly linked to other major groups in this summary, but noted as one of the oldest Iranian APTs, remaining elusive compared to groups like Charming Kitten, MuddyWater, and OilRig.
## Activity Summary
Threat hunters have noted a resurgence of activity from Infy after nearly five years of reduced visibility. The scale of their current activity is considered more significant than previously assessed, confirming they remain an active and dangerous entity. The latest findings detail a covert campaign operating recently (at least as of September 2025).
## Tactics, Techniques & Procedures
* **Initial Access/Delivery:** Phishing emails used to distribute the initial loader. A shift was observed from using macro-laced Microsoft Excel files to directly embedding an executable within these documents to install the Foudre downloader.
* **Loader/Implant Chain:** Utilizes the **Foudre** malware (downloader/victim profiler) to deliver the second-stage implant, **Tonnerre**.
* **Command and Control (C2) Resilience:** Employs a **Domain Generation Algorithm (DGA)** for resilient C2 infrastructure.
* **C2 Validation:** Malware artifacts validate C2 domains by downloading an RSA signature file, which is then decrypted using an embedded public key and verified against a locally stored validation file.
* **Specific C2 Directories:** The C2 infrastructure uses a directory named "key" for validation.
* **Victim-Specific Upgrades:** The download of a configuration file (`tga.adr` stored in a "t" directory) is triggered only for a specific list of Victim GUIDs, potentially to upgrade the malware.
* **Covert Communication:** The latest version of Tonnerre communicates findings and potentially receives commands via a specific **Telegram group** ("سرافراز").
## Targeting
* **Sectors:** Not explicitly detailed, but the activity targets "high-value machines."
* **Geography:** Recent activity targets victims across **Iran, Iraq, Turkey, India, and Canada,** as well as **Europe**.
* **Historical Geography (Observed ~5 years ago):** Sweden, the Netherlands, and Turkey.
## Tools & Infrastructure
* **Primary Malware Strains:**
* **Foudre:** Downloader and victim profiler (v34 observed recently). Older variants included versions camouflaged as "Amaq News Finder."
* **Tonnerre:** Second-stage implant used for data extraction (versions 12-18 and 50 observed recently).
* **Associated Malware:**
* **MaxPinner:** A trojan downloaded by Foudre version 24 DLL, used to spy on Telegram content.
* **Deep:** Another variation of malware mentioned alongside MaxPinner.
* **C2/Communication Infrastructure:**
* DGA-based infrastructure.
* Telegram Group: Named "سرافراز" (meaning "proudly" in Persian), containing a Telegram bot (`@ttestro1bot`) and a user handle (`@ehsan8999100`).
## Implications
Infy remains a sophisticated and highly active Iranian APT, capable of maintaining long operational histories (dating back to 2004) and adapting its TTPs, including upgrading malware versions and using modern C2 techniques (DGA, RSA validation, Telegram integration). The continued evolution suggests a persistent state-backed intelligence gathering effort.
## Mitigations
* Monitor for the delivery of Foudre/Tonnerre malware, particularly associated with phishing emails containing malicious executables embedded in Excel files.
* Implement strict controls over DGA-generated domains.
* Monitor outbound network traffic for communications to known or suspicious Telegram handles or bots associated with C2 activity, specifically looking for activity related to files named `tga.adr`.
* Analyze file system artifacts for structured directories (`key`, `t`) containing C2 validation or configuration files.
* Harden protection against fileless or embedded executable delivery within seemingly benign document formats.