The elusive Iranian threat group known as Infy (also known as Prince of Persia) has evolved its tactics as part of an effort to cover its tracks even as it prepares new command and control (C2) infrastructure to coincide with the end of a widespread regime-imposed internet blackout earlier in the month.
“Threat actors ceased maintenance on their C2 servers on January 8th for the first time since we began monitoring their activity,” said Tomer Bar, SafeBreach’s vice president of security research, in a report shared with The Hacker News.
“This is the day a country-wide internet shutdown was imposed by Iranian authorities in response to recent protests, suggesting that perhaps even government-affiliated cyber forces had no ability or incentive to carry out malicious activities inside Iran.”
The cybersecurity firm announced that the hacking group installed a new C2 server and observed new activity on January 26, 2026, the day before the Iranian government eased internet restrictions in the country. This development is significant, especially in that it provides concrete evidence that the adversary is state-backed and backed by Iran.
Infy is just one of many state-sponsored hacker groups operating outside Iran, conducting espionage, sabotage, and influence operations in line with Iran’s strategic interests. However, it is also one of the oldest and least known groups, having operated quietly under the radar since 2004 through “laser-focused” attacks targeting individuals for information gathering purposes.
In a report published in December 2025, SafeBreach revealed new techniques associated with threat actors, including the use of updated versions of Foudre and Tonnerre. The latter appears to be using Telegram bots for issuing commands and collecting data. The latest version of Tonnerre (version 50) is codenamed Tornado.
Continuous visibility into the attacker’s activity from December 19, 2025 to February 3, 2026 revealed that the attacker introduced Tornado version 51, which uses both HTTP and Telegram in the C2, and took steps to replace all versions of Foudre and Tonnerre’s C2 infrastructure.
“Two different methods are used to generate C2 domain names: a new DGA algorithm, and then blockchain data deobfuscation to fix the name,” Barr said. “This is a unique approach that we assume is being used to provide more flexibility in registering C2 domain names without having to update your Tornado version.”
There are also indications that Infy was able to weaponize a one-day security flaw in WinRAR (CVE-2025-8088 or CVE-2025-6218) to extract a Tornado payload on compromised hosts. Changing attack vectors is seen as a way to increase the success rate of campaigns. A specially created RAR archive was uploaded to the VirusTotal platform in mid-December 2025, suggesting that both countries may have been targeted.
Inside the RAR file is a self-extracting archive (SFX) containing two files.
AuthFWSnapin.dll, the main DLL for Tornado version 51 reg7989.dll, an installer that first checks if Avast antivirus software is installed and, if it is, creates a scheduled task to make it persistent and runs the Tornado DLL
Tornado establishes communication with the C2 server via HTTP, downloads and executes the main backdoor, and collects system information. If Telegram is selected as the C2 method, Tornado uses the bot API to extract system data and receive more commands.
It is worth noting that version 50 of the malware used a Telegram group named سرافراز (lit. “sarafraz”, meaning proudly) featuring the Telegram bot “@ttestro1bot” and a user with the handle “@ehsan8999100”. In the latest version, another user “@Ehsan66442” has been added in place of the latter.
“As before, bot members in Telegram groups still do not have permission to read group chat messages,” Bar said. “On December 21, the original user @ehsan8999100 was added to a new Telegram channel named Test with 3 subscribers. The purpose of this channel is still unknown, but we believe it is being used for command and control over the victim’s machine.”
SafeBreach announced that it has successfully extracted all messages in private Telegram groups and now has access to all leaked Foudre and Tonaire files since February 16, 2025. This includes 118 files and 14 shared links containing encrypted commands sent to Tonaire by threat actors. Analysis of this data yielded two important findings.
Loading a custom variant of StormKitty infostealer Malicious ZIP file that drops ZZ Stealer ZZ Stealer attack chain and previous iterations of ZZ Stealer using a package named “testfiwldsd21233s” designed to leak data through the Telegram bot API Python Package Index (PyPI) “Very strong correlation” between campaigns targeting repositories “Potential correlation” between Infy and Charming Kitten (also known as Educated Manticore) through the use of ZIP and Windows Shortcut (LNK) files and PowerShell loader techniques
“ZZ Stealer appears to be a first-stage malware (like Foudre) that first collects environmental data, screenshots, and steals all desktop files,” SafeBreach explained. “Furthermore, upon receiving the command “8==3” from the C2 server, it downloads and executes the second stage malware, also named “8==3” by the threat actor. ”
Source link
