Prince of Persia APT: Inside Iran’s Long-Running Espionage Campaign Powered by Infy, Foudre, and Tonnerre
The Prince of Persia threat group is a textbook example of how cyber-espionage does not need cutting-edge zero-days to remain effective. Active since at least 2007, the group has survived infrastructure takedowns, exposure, and defensive advances by steadily refining its malware families and operational discipline. Rather than chasing disruption or profit, Prince of Persia has remained focused on one goal: persistent intelligence collection.
Tracked under multiple names including Infy, Foudre, Operation Mermaid, and APT-C-07, the group’s activity has consistently targeted political figures, journalists, activists, and media organizations, particularly those connected to Iranian geopolitical interests. The tooling examined here, Infy, Foudre, and the more recent Tonnerre, illustrates how the group evolved from simple spyware into a modular, resilient surveillance platform.
Reconnaissance before compromise
Prince of Persia campaigns rarely begin with broad spam. Instead, operators invest time in identifying specific individuals and organizations of interest. Email addresses are gathered through prior breaches, open-source research, or access to compromised accounts, allowing the group to craft spear-phishing messages that blend naturally into the target’s context.
In one documented case, the actor leveraged a compromised Israeli Gmail account to contact an Israeli industrial organization, increasing credibility and lowering suspicion. This deliberate reconnaissance phase aligns with a long-term intelligence mindset rather than opportunistic crime.
Spear-phishing as the primary entry point
Email remains the group’s most reliable access vector. Malicious attachments are tailored to the target, often using politically relevant filenames or benign-looking requests. Microsoft Office formats dominate, including PowerPoint slide decks, Word documents, and Excel spreadsheets.
Some campaigns go further by packaging malicious documents inside ZIP archives, occasionally using non-English filenames to appear regionally authentic. In at least one case, a ZIP file titled “Notable Martyrs” contained an Excel document with an embedded executable, relying on curiosity and trust to trigger execution.
Execution through Visual Basic macros
Once a malicious document is opened, execution typically begins with Visual Basic for Applications macros. These macros act as stealthy droppers, extracting embedded payloads without writing obvious files to disk at first.
The macro logic often copies an OLE object hidden within the spreadsheet to the clipboard, pauses briefly to evade automated analysis, and then uses Windows Shell APIs to paste the payload into a user-writable directory. This approach minimizes suspicious behavior while remaining reliable across Windows versions.
Infy and Foudre: core surveillance implants
The Infy malware family forms the foundation of Prince of Persia’s surveillance capability. It relies heavily on native Windows API calls, using them for keylogging, message handling, and file monitoring. Rather than importing large external libraries, Infy blends into normal system activity.
Foudre represents a more modular evolution. It expands data collection while improving obfuscation and cleanup routines. Clipboard data is captured on short cycles, screenshots are taken silently, and audio is recorded and compressed before exfiltration. The emphasis is not speed, but persistence.
Persistence through Windows services
To survive reboots, Infy commonly installs itself as a Windows service. In doing so, it removes traces of older service names used in previous infections, ensuring only one active instance remains. This cleanup behavior reduces noise and avoids conflicts that might alert defenders.
Service-based persistence gives the malware longevity and allows it to operate continuously with minimal user interaction.
Defense evasion through obfuscation and masquerading
Prince of Persia invests heavily in hiding its tooling. Payloads are frequently wrapped in self-extracting archives, sometimes password-protected, and strings are encoded using custom routines that decrypt content only at runtime.
File names and descriptions are carefully chosen to resemble legitimate software components, borrowing identities from media libraries, development tools, or drivers. This masquerading reduces the chance that a casual inspection will raise suspicion.
Living off the land with rundll32
Rather than launching custom executables directly, the malware often abuses trusted system binaries. The most common example is rundll32.exe, which is used to execute malicious DLLs under the guise of normal Windows behavior.
This technique allows the malware to bypass simple application controls and blend into process listings, making detection far more difficult without behavioral analysis.
Credential access and system discovery
Once active, Infy begins harvesting credentials from web browsers, including saved passwords, cookies, and form data. Keystrokes are logged via hidden message loops, capturing sensitive input over time.
At the same time, the malware profiles the system. It queries the Windows registry for the machine GUID, collects operating system details, usernames, and computer names, and scans for installed security software by checking known antivirus directory paths.
Data collection over destruction
Prince of Persia does not rush to exfiltrate everything at once. Files of interest are selectively gathered from user directories, recent items, and document folders, focusing on common office and archive formats.
Collected data is staged locally in compressed archives before being transmitted. Screenshots, clipboard contents, and audio recordings are quietly accumulated, sometimes over weeks, allowing the attackers to build a detailed picture of the victim’s activity.
Command and control through dynamic generation
To maintain access despite takedowns, the group relies on domain generation algorithms. Two observed variants, often labeled NRV1 and LOS1, generate command-and-control domains based on time-derived values such as year, month, and week number.
By dynamically computing domains and verifying server authenticity using cryptographic signatures, the malware can reconnect even after known infrastructure is seized. This approach has been key to the group’s resilience.
Tonnerre and modern C2 channels
Following a major infrastructure disruption in 2016, Prince of Persia resurfaced with Tonnerre, a more flexible implant. Recent variants observed in 2025 introduced the use of web services and messaging platforms for command and control.
In some cases, Tonnerre communicated through Telegram bots and private groups, blending malicious traffic into legitimate messaging infrastructure. This further complicates detection and takedown efforts.
Why Prince of Persia still matters in 2026
Prince of Persia is not defined by technical flashiness. It survives because of patience, consistency, and adaptation. Nearly two decades of continuous operation demonstrate that disciplined tradecraft can outlast both media attention and defensive cycles.
For defenders, the group is a reminder that espionage threats rarely disappear. They fade, retool, and quietly return, often when attention shifts elsewhere.
Defensive lessons from Prince of Persia
Detecting this group requires behavioral visibility rather than reliance on static indicators. Macro execution, abuse of rundll32, clipboard and audio access, and low-volume outbound traffic are all signals that matter.
Organizations supporting sensitive users should assume that compromise is possible and focus on early detection, segmentation, and monitoring of living-off-the-land abuse.
Source credit: This analysis is based on technical research published by Picus Security, including the report “Prince of Persia APT Analysis: Infy, Foudre, and Tonnerre Malware.”
