New Insights into the Infy Threat Group’s Cyber Espionage Activities
Resurgence of an Old Foe
Recent intelligence collected by threat hunters has unveiled renewed activity from the Iranian hacker group known as Infy, also referred to as the Prince of Persia. This comes nearly five years after the group was first observed targeting entities in Sweden, the Netherlands, and Turkey. Tomer Bar, vice president of security research at SafeBreach, indicated that the extent of Infy’s operations appears to be more significant than previously thought. “This threat group remains active, relevant, and dangerous,” Bar noted in a detailed report shared with The Hacker News.
A Storied History
Infy is considered one of the oldest Advanced Persistent Threat (APT) actors, with its activities traceable back to December 2004. Insights from a 2016 report by Palo Alto Networks’ Unit 42 highlighted the group’s long-standing presence in the cyber threat landscape. Despite the timeline, Infy has often flown under the radar compared to other Iranian threat actors such as Charming Kitten or MuddyWater.
Tactics and Technology
The group primarily employs two strains of malware: Foudre and its second-stage implant, Tonnerre. Foudre acts as a downloader and victim profiler, often disseminated through phishing emails. Victims receive malicious content that subsequently delivers Tonnerre, an implant designed to extract valuable data from infected systems.
Targeted Campaigns Across Borders
Recent findings indicate that Infy has expanded its targeting to a range of countries including Iran, Iraq, Turkey, India, Canada, and several nations in Europe. The updated versions of Foudre (version 34) and Tonnerre (versions 12 through 18 and 50) have been detected, with the latest iteration of Tonnerre surfacing in September 2025. Notably, the tactics have evolved; the group has shifted from using macro-laden Microsoft Excel files to embedding executable files directly within documents for easier installation of Foudre.
Resilient Infrastructure and Verification Mechanisms
One of the most distinctive methods employed by Infy is its use of a domain generation algorithm (DGA) to fortify its command-and-control (C2) infrastructure. This resilience is further enhanced by the malware’s ability to validate its C2 domains. Foudre and Tonnerre check the authenticity of a C2 domain by downloading a specially encrypted RSA signature file. This file is decrypted using a public key and compared against a locally stored validation file.
In the latest analysis, SafeBreach revealed a directory labeled “key,” which is utilized for C2 validation, along with storage for communication logs and exfiltrated files. Bar elaborated, stating, “Every day, Foudre downloads a dedicated signature file encrypted with an RSA private key, which is then verified using an embedded public key.”
Communication via Telegram
An intriguing aspect of the latest version of Tonnerre is its integration with a Telegram group titled “سرافراز” (meaning “proudly” in Persian). This group consists of a bot (@ttestro1bot) likely used for issuing commands and gathering information, alongside a user identified by the handle @ehsan8999100. The communication protocols for this infrastructure are tightly controlled, as the bot can only access the “tga.adr” file for a pre-defined list of victim GUIDs.
Legacy Malware Variants
SafeBreach’s investigations have also revealed earlier versions of Foudre that were leveraged in campaigns between 2017 and 2020. These include:
- A variant disguised as Amaq News Finder, which facilitated malware downloads.
- An updated version of a trojan known as MaxPinner, designed to spy on Telegram messages.
- A variant akin to Amaq News Finder called Deep Freeze, also used to deploy Foudre.
- An unspecified malware designated as Rugissement.
Continuous Threat Landscape
Despite an apparent silence from Infy in 2022, research from SafeBreach highlights the group’s sustained and evolving operations. The intricate details of their activities, combined with their C2 server structures and various malware versions, underscore the persistent threat posed by this hacking group.
In parallel, other Iranian groups like Charming Kitten are operating with precision typical of state-level actors. DomainTools has documented how the tactics of Charming Kitten resemble traditional governmental espionage agencies, revealing a complex relationship between various Iranian hacking initiatives.
By continuously adapting and developing their methodologies, groups like Infy ensure their relevance within the ever-evolving cyber warfare landscape.
