Iranian Infy APT Resurfaces with New Malware Activity After Years of Silence

on

 

Iranian Infy APT Resurfaces with New Malware Activity After Years of Silence

After years of relative obscurity, a long-standing Iranian advanced persistent threat (APT) group known as **Infy — also dubbed “Prince of Persia” — has resurfaced with a sophisticated wave of cyber-espionage activity. Once thought dormant or severely disrupted in recent years, the group’s renewed operations demonstrate a significant evolution in its malware tooling, command-and-control mechanisms, and global targeting scope, posing serious risks to international organizations, governments, and critical infrastructure. The Hacker News+1

Who Is Infy? A Brief History of an Elusive Threat Actor

Infy, often referred to by researchers as Prince of Persia, is an Iran-aligned state-sponsored cyber-espionage group that has been active since the early 2000s. First publicly observed around 2004, Infy predates many well-known APTs and is among the longest-running hacking groups with documented operations. Dark Reading

Despite its longevity, the group has remained relatively low-profile compared to other Iranian threat clusters such as Charming Kitten, MuddyWater, or OilRig. Infy’s quieter operational profile has led some analysts to believe it was dormant for extended periods, especially after public exposure and disruption of its infrastructure around 2019–2022. SC Media

However, recent threat intelligence indicates that the group never truly went dark — it was simply operating under the radar, refining its tactics, and expanding its capabilities for a comeback. NetmanageIT CTO Corner

Resurgence After Years of Silence

In 2025, cybersecurity researchers, most notably from SafeBreach Labs, revealed renewed activity linked to Infy after nearly five years of minimal publicly documented operations. This resurgence includes:

  • New malware variants, such as updated versions of Foudre and Tonnerre

  • Enhanced command-and-control (C2) infrastructure

  • Expanded geographic targeting

  • More sophisticated delivery and evasion techniques

These findings contradict earlier assumptions that Infy’s operational phase had declined or ended in 2022 — instead showing that it had persisted quietly and continuously evolved. Cyber Syrup

Malware Arsenal: Foudre and Tonnerre

Infy’s recent campaigns revolve around two primary malware families, both of which have been adapted and modernized:

Foudre — The Downloader and Profiler

Foudre serves as the initial foothold in the victim environment. Traditionally distributed via phishing emails, this malware acts as both a downloader and a system profiler. The goal of Foudre is to gather system information and determine whether a target is “high value” — triggering the deployment of more intrusive implants only when appropriate. radar.offseq.com

The delivery mechanism has also shifted over time. While older campaigns used macro-enabled Microsoft Office documents, the latest iterations embed executables directly within Excel files, increasing the likelihood of successful delivery and bypassing some macro-related defenses. redsecuretech.co.uk

Tonnerre — The Second-Stage Implant

Once deployed, Tonnerre acts as a powerful implant designed for data collection, exfiltration, and long-term surveillance. Newer variants (identified as Tonnerre v50 in 2025) feature expanded capabilities beyond basic surveillance, including more resilient communications with C2 servers and the ability to interact with modern platforms for covert control. redsecuretech.co.uk

Infy’s use of layered malware — a lightweight initial downloader followed by a more capable implant — reflects a classic APT pattern, optimized for persistence and stealth. Galileo Systems Group

Command-and-Control Reinvented: DGA and Telegram Integration

A key feature of Infy’s resurgence is its heavily engineered command-and-control infrastructure, designed to evade detection and takedown efforts.

Domain Generation Algorithms (DGA)

Infy employs domain generation algorithms, which produce large sets of pseudo-random domain names for C2 communication. This technique complicates defenders’ ability to preemptively block or sinkhole malicious domains, as defenders cannot easily predict all possible C2 endpoints generated by the malware. redsecuretech.co.uk

Both Foudre and Tonnerre utilize distinct DGAs, generating domains across a range of TLDs (top-level domains), such as .site, .privatedns.org, and others. redsecuretech.co.uk

Cryptographically Validated C2

Infy’s malware performs cryptographic verification of C2 domains before communicating. Foudre, for instance, checks an RSA-signed file against an embedded public key to ensure that a domain is genuine and under attacker control before exchanging data. This validation step reduces the risk of false positives and ensures malware only talks to approved servers. radar.offseq.com

Telegram for Covert Control

In an unexpected evolution, newer versions of Tonnerre now include mechanisms to leverage Telegram — a widely used encrypted messaging platform — as part of the command-and-control chain. Malware can connect to a Telegram group (identified as “سرافراز,” meaning “Proudly” in Persian), where a bot relays commands and collects exfiltrated data. redsecuretech.co.uk

This use of a legitimate platform adds resilience and makes traditional network-based C2 detection harder, as encrypted messaging platforms are not easily blocked without significant collateral impact. redsecuretech.co.uk

Global Targeting: Widened Geographic Scope

Infy’s targeting reflects strategic interests aligned with Iranian geopolitical priorities. While earlier activity was more localized or narrow in scope, recent campaigns have exhibited broader geographic reach, including:

  • Iran

  • Iraq

  • Turkey

  • India

  • Canada

  • Multiple European countries Cyber Syrup

This expansion underscores that Infy’s operations are no longer limited to regional objectives; they now appear to pursue cross-border intelligence collection with potential political, economic, or infrastructure-oriented objectives. Galileo Systems Group

Operational Objectives: Espionage Over Disruption

Unlike some cyber threats focused on destruction or ransomware extortion, Infy’s activities are firmly rooted in espionage and long-term access. The group’s malware is designed not to disrupt systems but to profile victims, extract sensitive information, and maintain persistent access for extended periods. Cyber Syrup

Such objectives are classic traits of state-aligned APTs, where the acquisition of intellectual property, strategic intelligence, and political insights is prioritized. radar.offseq.com

Why the Resurgence Matters

The reactivation and modernization of Infy carry deep implications for global cybersecurity:

1. Persistence of Long-Running Threat Actors

Infy’s resurgence proves that a perceived period of inactivity does not necessarily signal the end of an APT’s capabilities. Instead, such actors may be operating quietly, improving their toolkit, and preparing for strategic campaigns, only emerging when opportunities align. NetmanageIT CTO Corner

2. Advanced Evasion and C2 Techniques

The group’s use of DGAs, cryptographic C2 validation, and integration with legitimate platforms such as Telegram reflect an adversary with operational maturity. These tactics complicate detection and mitigation for defenders, who must adapt to both technical sophistication and unconventional C2 channels. redsecuretech.co.uk

3. Diverse Geographic and Sector Targets

Infy’s broadening target list indicates that organizations and governments worldwide — not just in Iran’s immediate neighborhood — must consider state-sponsored cyber espionage as a real threat. This includes sectors such as government, critical infrastructure, industry, and scientific research. Cyber Syrup

Defending Against Infy’s Operations

Organizations and defenders can take several measures to mitigate the threat posed by Infy and similar APTs:

1. Harden Email and Phishing Defenses

Since the initial infection vector relies heavily on phishing emails with malicious attachments, implementing robust email security, attachment sandboxing, and user training to avoid enabling embedded executables is critical. radar.offseq.com

2. Monitor for Suspicious C2 Patterns

Network defenders should look for domain patterns associated with DGAs and unusual connections to messaging platforms or encrypted services that could indicate covert C2 traffic. redsecuretech.co.uk

3. Endpoint Detection and Response (EDR)

Deploying advanced EDR solutions capable of detecting unusual process behaviors — such as unauthorized DLL loads, command execution chains, and hidden processes — can help identify and contain malware like Foudre or Tonnerre early in the attack lifecycle. radar.offseq.com

4. Threat Intelligence and Information Sharing

Participating in threat intelligence sharing initiatives helps organizations remain aware of emerging Indicators of Compromise (IOCs), malware hashes, and adversary TTPs, improving overall readiness against evolving threats like Infy. KSEC Community Forum

Conclusion: A Stealthy Return with a Sharpened Edge

The resurgence of the Iranian Infy APT — once thought dormant — highlights the resilience and adaptability of state-sponsored adversaries in the global cyber threat landscape. After years of staying below the radar, the group has refined its operational playbook, expanded its malware arsenal, and embraced stealthier C2 mechanisms that leverage cryptography and mainstream communication platforms.

By understanding Infy’s sophisticated tools, objectives, and targeting patterns, organizations can better prepare defenses and counter the subtle but persistent threat posed by long-running cyber-espionage actors. For the broader cybersecurity community, Infy’s return is a stark reminder that threats evolve and endure — and vigilance must remain constant. Cyber Syrup

Comments

Post a Comment