Executive Summary

The Iranian advanced persistent threat (APT) group known as Infy (also referred to as "Prince of Persia") has re-emerged after a prolonged period of inactivity, orchestrating a new wave of cyber-espionage campaigns. Leveraging advanced malware variants and innovative command-and-control (C2) techniques, including the use of the Telegram messaging platform, Infy has demonstrated a significant evolution in its operational capabilities. The group’s latest campaigns, observed from August to December 2025, have targeted government entities, dissidents, and critical infrastructure across Iran, Europe, Iraq, Turkey, India, and Canada. The sophistication of the new malware, combined with dynamic C2 infrastructure and evasion tactics, poses a substantial threat to organizations globally. This advisory provides a comprehensive technical analysis of the new Infy malware, its tactics, techniques, and procedures (TTPs), observed exploitation in the wild, victimology, and actionable mitigation strategies.

Threat Actor Profile

Infy is a long-standing Iranian state-sponsored APT group, active since at least 2007, and is recognized for its persistent cyber-espionage operations. Historically, Infy has targeted a broad spectrum of victims, including government agencies, political dissidents, defense contractors, and critical infrastructure operators. The group is characterized by its methodical approach, custom malware development, and adaptive C2 strategies. After a period of apparent dormancy following public exposure in 2016, Infy has resurfaced with new malware variants and operational enhancements. The group’s activities are closely aligned with Iranian state interests, and its campaigns are notable for their longevity, stealth, and technical sophistication. Recent evidence, including the use of Persian-language operators and infrastructure overlaps, strongly attributes these campaigns to Iranian state actors.

Technical Analysis of Malware/TTPs

The latest Infy campaigns are distinguished by the deployment of new malware variants, notably Foudre v34, Tonnerre v17, and Tonnerre v50. These malware families exhibit advanced features, including multi-stage loaders, domain generation algorithms (DGAs), and novel C2 mechanisms.

Foudre v34 is delivered via spear-phishing emails containing malicious Microsoft Excel attachments. These attachments exploit user-enabled macros to execute embedded executables, specifically dropping a DLL loader (Conf8830.dll) and deploying a self-extracting archive (SFX) disguised as a media file. The SFX archive contains both a malicious DLL and a decoy MP4 video, enhancing the campaign’s social engineering effectiveness. Foudre v34 implements a two-tiered DGA, generating C2 domains primarily using the letters j-z, which complicates detection and blocking by traditional security solutions.

Tonnerre v17 operates in conjunction with Foudre, utilizing a similar DGA but with unique key prefixes to establish C2 communications. It exfiltrates victim data, including system GUIDs and encrypted files, through structured directories such as /blog, /f, and /s on the C2 server. The malware’s modular architecture allows for flexible tasking and data collection.

Tonnerre v50 represents a significant operational shift, introducing Telegram-based C2 for the first time in Infy’s history. The malware communicates with a Telegram bot (ttestro1bot), which relays commands and exfiltrated data to a Telegram group managed by a Persian-speaking operator identified as Ehsan. This use of a legitimate messaging platform for C2 provides enhanced resilience against takedowns and complicates network-based detection.

The malware exhibits robust persistence and evasion mechanisms. Attackers frequently rotate C2 servers, leveraging multiple TLDs such as .site, .hbmc.net, .ix.tc, and .privatedns.org. The malware is capable of self-deletion upon receiving specific C2 commands, reducing forensic artifacts and hindering incident response efforts. Notably, the embedded executables have demonstrated a high degree of evasion, with most antivirus engines failing to detect them as of December 2025.

Exploitation in the Wild

Active exploitation by Infy has been observed from August to December 2025, with campaigns primarily leveraging spear-phishing emails as the initial access vector. The emails contain malicious Excel attachments that, upon user interaction, execute embedded payloads. The infection chain involves the execution of a file named ccupdate.tmp, which initiates the deployment of the SFX archive and subsequent malware components.

Victims have been identified across multiple sectors and geographies, including government agencies, critical infrastructure operators, and political dissidents in Iran, Europe, Iraq, Turkey, India, and Canada. The use of dynamic DGAs and Telegram-based C2 has enabled Infy to maintain operational continuity despite periodic takedowns of its infrastructure. The group’s ability to rapidly rotate C2 domains and leverage legitimate platforms for C2 communications has significantly increased the complexity of detection and response.

Victimology and Targeting

Infy’s targeting is consistent with Iranian state interests, focusing on government entities, critical infrastructure, and individuals or organizations perceived as dissidents. The group’s campaigns have historically spanned over 35 countries, with recent activity concentrated in Iran and neighboring regions, as well as select targets in Europe, India, and Canada. The selection of victims is informed by geopolitical considerations, with a particular emphasis on intelligence collection and surveillance. The use of Persian-language operators and infrastructure further corroborates the group’s Iranian nexus.

Mitigation and Countermeasures

Organizations are advised to implement a multi-layered defense strategy to mitigate the threat posed by Infy. Key recommendations include:

Enhancing email security controls to detect and block spear-phishing attempts, particularly those involving Excel attachments with macros or embedded SFX archives. User awareness training should emphasize the risks associated with enabling macros and executing unsolicited attachments.

Deploying advanced endpoint detection and response (EDR) solutions capable of identifying suspicious process behaviors, such as the execution of ccupdate.tmp, DLL side-loading, and the creation of SFX archives. Regularly updating endpoint protection signatures and heuristics is critical, given the malware’s demonstrated evasion capabilities.

Implementing network monitoring to detect anomalous DNS queries indicative of DGA-based C2 communications, as well as monitoring for outbound connections to known malicious TLDs, including .site, .hbmc.net, .ix.tc, and .privatedns.org. Special attention should be paid to traffic involving the Telegram API, as the use of messaging platforms for C2 is an emerging trend.

Establishing incident response playbooks that account for malware self-deletion and C2 rotation. Forensic teams should be prepared to investigate ephemeral artifacts and leverage memory analysis to identify in-memory malware components.

Collaborating with threat intelligence providers and law enforcement to obtain up-to-date indicators of compromise (IOCs) and share information on observed attacks. Proactive threat hunting for the presence of Conf8830.dll, ccupdate.tmp, and suspicious Telegram bot activity is recommended.

References

SafeBreach: Prince of Persia – A Decade of an Iranian Nation-State APT Campaign Activity (https://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/), CSO Online: Iranian APT Prince of Persia returns with new malware and C2 infrastructure (https://www.csoonline.com/article/4109985/iranian-apt-prince-of-persia-returns-with-new-malware-and-c2-infrastructure.html), CyberPress: Cyberattacks by Iranian Nation-State APTs Targeting Vital Infrastructure (https://cyberpress.org/iranian-nation-state-apts/), Palo Alto Networks Unit 42: Original Infy/Prince of Persia Research (2016) (https://unit42.paloaltonetworks.com/infy-iranian-cyber-espionage-campaign/), MITRE ATT&CK: APT33, APT34, and related Iranian groups (https://attack.mitre.org/groups/)

About Rescana

Rescana empowers organizations to proactively manage third-party cyber risk through our advanced TPRM platform, delivering actionable intelligence and continuous monitoring to safeguard your digital ecosystem. Our team of cybersecurity experts is dedicated to providing timely, in-depth threat analysis and practical guidance to help you stay ahead of emerging threats. We are happy to answer questions at ops@rescana.com.