Cybersecurity

Iranian Infy APT Resurfaces With New Malware Activity After Years...

2025-12-21 0 views admin
Iranian Infy APT Resurfaces With New Malware Activity After Years...

Threat hunters have discerned new activity associated with an Iranian threat actor known as Infy (aka Prince of Persia), nearly five years after the hacking group was observed targeting victims in Sweden, the Netherlands, and Turkey.

"The scale of Prince of Persia's activity is more significant than we originally anticipated," Tomer Bar, vice president of security research at SafeBreach, said in a technical breakdown shared with The Hacker News. "This threat group is still active, relevant, and dangerous."

Infy is one of the oldest advanced persistent threat (APT) actors in existence, with evidence of early activity dating all the way back to December 2004, according to a report released by Palo Alto Networks Unit 42 in May 2016 that was also authored by Bar, along with researcher Simon Conant.

The group has also managed to remain elusive, attracting little attention, unlike other Iranian groups such as Charming Kitten, MuddyWater, and OilRig. Attacks mounted by the group have prominently leveraged two strains of malware: a downloader and victim profiler named Foudre that delivers a second-stage implant called Tonnerre to extract data from high-value machines. It's assessed that Foudre is distributed via phishing emails.

The latest findings from SafeBreach have uncovered a covert campaign that has targeted victims across Iran, Iraq, Turkey, India, and Canada, as well as Europe, using updated versions of Foudre (version 34) and Tonnerre (versions 12-18, 50). The latest version of Tonnerre was detected in September 2025.

The attack chains have also witnessed a shift from a macro-laced Microsoft Excel file to embedding an executable within such documents to install Foudre. Perhaps the most notable aspect of the threat actor's modus operandi is the use of a domain generation algorithm (DGA) to make its command-and-control (C2) infrastructure more resilient.

In addition, Foudre and Tonnerre artifacts are known to validate if the C2 domain is authentic by downloading an RSA signature file, which the malware then decrypts using a public key and compares with a locally-stored validation file.

SafeBreach's analysis of the C2 infrastructure has also uncovered a directory named "key" that's used for C2 validation, along with other folders to store communication logs and the exfiltrated files.

"Every day, Foudre downloads a dedicated signature file encrypted with an RSA private key by the threat actor and then uses RSA verification with an embedded public key

Source: The Hacker News

🏷️ Tags

securityhackbreachmalwareattack

More from Cybersecurity

ASUS Shipped Signed Malware to Over 1 Million Users — A Supply-Chain Nightmare Returns in 2025

ASUS Shipped Signed Malware to Over 1 Million Users — A Supply-Chain Nightmare Returns in 2025

2025-12-21 1
Ransomhouse Upgrades Encryption With Multi-layered Data Processing

Ransomhouse Upgrades Encryption With Multi-layered Data Processing

2025-12-20 0
U.s. Doj Charges 54 In Atm Jackpotting Scheme Using Ploutus Malware

U.s. Doj Charges 54 In Atm Jackpotting Scheme Using Ploutus Malware

2025-12-20 0
Cisco Vpns, Email Services Hit In Separate Threat Campaigns 2025

Cisco Vpns, Email Services Hit In Separate Threat Campaigns 2025

2025-12-19 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views