After nearly five years of apparent dormancy, the Iranian threat group Infy—also known as Prince of Persia—has resurfaced. Security researchers at SafeBreach have identified a new campaign by this long-standing cyber-espionage operation, which has conducted attacks across multiple countries since 2004 while largely remaining in the shadow of other Iranian groups.
The recent operation targeted victims in Iran, Iraq, Turkey, India, Canada, and several European countries. The group’s core toolset remains unchanged, relying on the malware families Foudre and Tonnerre. Foudre functions as a loader and reconnaissance tool, responsible for deploying Tonnerre and harvesting system information. In the latest iteration, Foudre version 34, analysts uncovered enhanced delivery techniques: the malware is now embedded directly within an executable attached to a Microsoft Excel document, making the attack significantly more discreet.
Communication mechanisms with command-and-control servers have also been refined. The malware now employs a domain generation algorithm, complicating efforts to track its infrastructure. In addition, Foudre contacts a remote server daily to retrieve an encrypted digital signature, which it decrypts using an embedded public key to verify that it is communicating with the “correct” server. This method substantially raises the barrier to traffic interception and spoofing.
On the servers used to manage infected systems, researchers discovered a structured environment containing directories for activity logs, exfiltrated files, and authentication data used to validate the command server. A separate directory labeled “download” was also identified; while its exact purpose remains unclear, it is believed to be intended for delivering updates.
Particular attention was drawn to a new feature in recent versions of Tonnerre: communication via Telegram. Analysis revealed that the malware can connect to a Telegram group named “سرافراز” (“Proud” in Persian), which consists of only two members—a bot likely used for command and data collection, and a user with the alias @ehsan8999100. Details about this group are stored on the C2 server in a dedicated file and are accessible only to select infected systems.
While examining Infy’s infrastructure, analysts also uncovered older malware samples actively used between 2017 and 2020. These included applications disguised as news software, the MaxPinner trojan capable of spying on Telegram activity, and a previously undocumented piece of malware named Rugissement.
Despite the outward silence since 2022, Infy never ceased operations; it merely retreated deeper underground. Activity analysis over the past three years shows continued tool development and ongoing attacks, alongside a marked evolution in both infrastructure and operational methodology.
Against the backdrop of this renewed activity, the report once again highlights the blurred boundary between cyber-espionage and state structures. Leaks related to another Iranian group, Charming Kitten, suggest that the same administrative mechanisms may operate behind ostensibly distinct cyber actors—overseeing phishing campaigns and ransomware attacks alike under a unified command and logistical framework.