- The Iranian threat group known as Infy or Prince of Persia has been found active again, targeting multiple countries including Iran, Iraq, Turkey, India, Canada, and parts of Europe.
- The group uses updated versions of their Malware, Foudre and Tonnerre, mainly delivered via phishing emails and embedded files in Microsoft Excel documents.
- Infy employs a domain generation algorithm (DGA) to secure their command-and-control (C2) infrastructure, validating domains daily using an RSA signature system.
- The latest Tonnerre malware variant connects to a Telegram group for commands and data exchange, a novel approach in its operations.
- Older malware variants, such as Amaq News Finder, MaxPinner, Deep Freeze, and Rugissement, have also been linked to this threat actor in past campaigns.
The Iranian cyber espionage group known as Infy or Prince of Persia has reemerged with new activity nearly five years after previously being detected targeting victims in Sweden, the Netherlands, and Turkey. This renewed campaign was uncovered by threat researchers in December 2025 and involves operations targeting countries such as Iran, Iraq, Turkey, India, Canada, and various European nations.
The group is notable for its long history, with evidence of operations dating back to 2004. It primarily relies on two malware strains: Foudre, a downloader and victim profiler, and Tonnerre, a second-stage implant used for data extraction on compromised machines. These malware versions have been updated, with the most recent Tonnerre variant detected as recently as September 2025. Infection often begins via phishing emails that deliver macro-laced Microsoft Excel files, which now embed executables to install Foudre.
A key feature of these attacks is the use of a domain generation algorithm (DGA) designed to enhance the resilience of their command-and-control (C2) systems. This algorithm produces daily unique domain names that Foudre verifies by downloading and decrypting RSA signature files to confirm the legitimacy of the C2 domain.
Analysis of the C2 infrastructure revealed specialized directories, including one named “key” for domain validation, another for communication logs, and others Hosting exfiltrated data. The most recent Tonnerre malware includes functionality to interface with a Telegram group named “سرافراز” (“proudly” in Persian). This group contains a Telegram bot (@ttestro1bot) believed to manage commands and data collection, alongside a user account (@ehsan8999100). The file storing this information is triggered only for specific victim identifiers.
Historical variants associated with the group include versions of Foudre disguised as a tool named Amaq News Finder, a trojan called MaxPinner used for spying on Telegram, a malware known as Deep Freeze, and an unidentified threat called Rugissement.
Despite appearing inactive in 2022, ongoing research emphasizes that Prince of Persia remains an active and sophisticated threat actor employing complex malware and operational security measures. For more detailed technical insights, refer to resources linked by SafeBreach and Palo Alto Networks Unit 42, as stated here and here.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Crypto Analyst Sees Bitcoin Potential Drop to $75K Amid Optimism
- Skybridge’s Scaramucci Predicts Solana SOL Could Hit $2,500
- Bitcoin Demand Slows Since Oct 2025, Signaling New Bear Market
- Crypto User Loses $50M in Rare Wallet Address Poisoning Attack
- Uniswap’s UNI Jumps 19% as On-Chain Voting Starts on Fee Proposal
