Cyber: Infy Hackers Resume Operations With New C2 Servers After Iran...
The elusive Iranian threat group known as Infy (aka Prince of Persia) has evolved its tactics as part of efforts to hide its tracks, even as it readied new command-and-control (C2) infrastructure coinciding with the end of the widespread internet blackout the regime imposed at the start of the month.
"The threat actor stopped maintaining its C2 servers on January 8 for the first time since we began monitoring their activities," Tomer Bar, vice president of security research at SafeBreach, said in a report shared with The Hacker News.
"This was the same day a country-wide internet shutdown was imposed by Iranian authorities in response to recent protests, which likely suggests that even government-affiliated cyber units did not have the ability or motivation to carry out malicious activities within Iran."
The cybersecurity company said it observed renewed activity on January 26, 2026, as the hacking crew set up new C2 servers, one day before the Iranian government relaxed internet restrictions within the country. The development is significant, not least because it offers concrete evidence that the adversary is state-sponsored and backed by Iran.
Infy is just one of many state-sponsored hacking groups operating out of Iran that conduct espionage, sabotage, and influence operations aligned with Tehran's strategic interests. But it's also one of the oldest and lesser-known groups that has managed to stay under the radar, not attracting attention and operating quietly since 2004 through "laser-focused" attacks aimed at individuals for intelligence gathering.
In a report published in December 2025, SafeBreach disclosed new tradecraft associated with the threat actor, including the use of updated versions of Foudre and Tonnerre, with the latter employing a Telegram bot likely for issuing commands and collecting data. The latest version of Tonnerre (version 50) has been codenamed Tornado.
Continue visibility into the threat actor's operations between December 19, 2025, and February 3, 2026, has uncovered that the attackers have taken the step of replacing the C2 infrastructure for all versions of Foudre and Tonnerre, along with introducing Tornado version 51 that uses both HTTP and Telegram for C2.
"It uses two different methods to generate C2 domain names: first, a new DGA algorithm and then fixed names using blockchain data de-obfuscation," Bar said. "This is a unique approach that we assume is being used to provide greater flexibility in registering C2
Source: The Hacker News
