Iranian Infy APT Resurfaces with Sophisticated Malware Activity After Years of Silence
Executive Summary
After nearly three years of apparent dormancy following major infrastructure takedowns, the notorious Iranian Advanced Persistent Threat (APT) group Infy (also known as Prince of Persia) has reemerged. New research from cybersecurity firms like SafeBreach indicates that the group has spent its "quiet" years retooling its signature malware—Foudre and Tonnerre—and shifting its command-and-control (C2) strategy to include legitimate platforms like Telegram.
The Evolution of the Threat
Infy is one of the oldest active Iranian threat actors, with roots dating back to 2004. Historically known for targeting dissidents and government entities, the 2025 campaign shows a significant leap in technical maturity and operational security (OPSEC).
1. New Malware Variants
- Foudre v34 (Lightning): This first-stage downloader has been updated to profile victims more effectively. If a target is deemed high-value, it proceeds to deploy the second stage.
- Tonnerre v17 & v50 (Thunder): The second-stage Trojan is now more modular. Version 50, detected as recently as September 2025, includes new capabilities for extensive data exfiltration and environment monitoring.
- Rugissement: A newly discovered malware family (French for "Roar") used alongside the classic toolkit to provide redundancy and persistent access.
2. Shift in Delivery Tactics
The group has moved away from traditional macro-enabled Word documents. The current infection chain involves:
- Embedded Executables: Malicious SFX archives (Self-Extracting) are now embedded directly within Microsoft Excel files.
- Zero Detection: Samples discovered in December 2025 showed 0% detection rates on VirusTotal, suggesting the use of custom packing or obfuscation techniques that bypass traditional Antivirus (AV) engines.
Advanced Infrastructure & Telegram C2
One of the most notable changes in Infy's 2025 operations is the resilience of their backend infrastructure.
| Feature | Implementation Detail |
|---|---|
| Domain Generation (DGA) | Infy now uses a sophisticated DGA that generates dozens of potential domains daily, making it harder for researchers to perform "sinkholing" operations. |
| RSA Signature Verification | To prevent hijacking, the malware downloads an RSA signature file and validates it against a local public key before communicating with a C2 server. |
| Telegram Integration | The group now uses private Telegram groups and bots (notably handles like @ehsan8999100) to issue commands and receive stolen data. |
Victimology: Who is at Risk?
While the primary focus remains on internal Iranian dissidents and political activists, the 2025 telemetry shows an expanded scope targeting entities in:
- India (Government and Industrial sectors)
- Iraq, Turkey, and Canada
- Various European Nations (Sweden, Netherlands)
Mitigation Strategies
Security teams are advised to implement the following defensive measures:
- Block Execution of SFX Files: Restrict the ability of Office applications to spawn self-extracting executables.
- Monitor Telegram Traffic: Watch for unusual HTTPS traffic to api.telegram.org from servers or workstations that should not be using the messaging app.
- Behavioral Analysis: Since the malware bypasses signature-based AV, focus on behavioral detection (EDR) to flag "rundll32.exe" or "excel.exe" initiating unauthorized network connections.
