Full Report
The elusive Iranian threat group known as Infy (aka Prince of Persia) has evolved its tactics as part of efforts to hide its tracks, even as it readied new command-and-control (C2) infrastructure coinciding with the end of the widespread internet blackout the regime imposed at the start of the month. "The threat actor stopped maintaining its C2 servers on January 8 for the first time since we
Analysis Summary
# Threat Actor: Infy
## Attribution & Identity
* **Attribution:** Elusive Iranian threat group, confirmed to be state-sponsored and backed by Iran.
* **Aliases:** Prince of Persia.
* **Associated Groups:** One of many state-sponsored hacking groups operating out of Iran.
* **Operational History:** Operating quietly since 2004.
## Activity Summary
The threat actor ceased maintaining its C2 servers on January 8, 2026, coinciding with a country-wide internet shutdown imposed by Iranian authorities due to protests. This cessation strongly suggests government-affiliated units were hampered in their malicious activities. Activity resumed on January 26, 2026, as the group established new C2 infrastructure just before the Iranian government relaxed internet restrictions. This resumption included replacing C2 infrastructure for existing malware and deploying Tornado version 51.
## Tactics, Techniques & Procedures
* **Malware Usage:** Utilizing updated versions of **Foudre** and **Tonnerre**.
* **Recent Malware Evolution:** Introduced **Tornado** (version 50 and 51, the latter being the latest iteration).
* **C2 Mechanism Evolution:** Tornado version 51 uses both HTTP and Telegram for C2 communication.
* **Domain Generation:** Employs two methods for generating C2 domain names: a new **DGA algorithm** and **fixed names using blockchain data de-obfuscation**.
* **Initial Access/Weaponization:** Weaponized a 1-day security flaw in **WinRAR** (likely CVE-2025-8088 or CVE‑2025‑6218) via specially-crafted RAR archives to execute the Tornado payload.
* **Execution/Persistence:** The RAR file contains a Self-Extracting Archive (SFX) including `AuthFWSnapin.dll` (main Tornado v51) and `reg7989.dll` (installer). The installer checks for Avast, and if absent, creates a **scheduled task** for persistence.
* **Data Exfiltration:** Uses the Telegram bot API to exfiltrate system data and receive commands when Telegram is the C2 method.
* **C2 Infrastructure Replacement:** Replaced C2 infrastructure for all versions of Foudre and Tonnerre.
## Targeting
* **Sectors:** Information not explicitly detailed, but activities align with state interests (espionage, sabotage, influence operations).
* **Geography:** Targets were not explicitly named, but specially-crafted RAR archives uploaded to VirusTotal in mid-December 2025 suggest **two countries** may have been targeted.
* **Victims:** Attacks are described as "laser-focused" on **individuals for intelligence gathering**.
## Tools & Infrastructure
* **Malware Families Used:** Foudre, Tonnerre (including version 50), Tornado (versions 50 and 51).
* **Infrastructure (C2):**
* C2 servers were taken down on Jan 8, 2026, and new C2 infrastructure was established on Jan 26, 2026.
* **Telegram C2 Components (Version 50):** Telegram group named سرافراز (proudly), Bot: `@ttestro1bot`, User Handle: `@ehsan8999100`.
* **Telegram C2 Components (Version 51):** Replaced user handle with `[@Ehsan66442]`.
## Implications
Infy demonstrates significant alignment with Iranian state interests, focusing on long-term intelligence gathering. The rapid reconstitution of C2 infrastructure immediately following the end of the nationwide internet blackout confirms their state backing and operational discipline. Their adoption of a unique DGA/blockchain de-obfuscation method for domain generation points to an effort to enhance operational resilience and flexibility against network monitoring. Exploiting a 1-day vulnerability in WinRAR highlights a focus on maximizing initial access success rates.
## Mitigations
* Monitor for activity cessation/resumption correlated with major geopolitical events (e.g., internet blackouts).
* Implement robust endpoint detection focusing on the installation of persistence mechanisms like unexpected **scheduled tasks**.
* Require network defenses to monitor and inspect traffic potentially related to known Telegram bot APIs if the organization uses Telegram internally.
* Apply security patches for **WinRAR** immediately, specifically focusing on vulnerabilities allowing for payload extraction via malicious archives.
* Monitor for C2 communication utilizing both standard HTTP channels and emerging technologies like blockchain de-obfuscation for domain resolution.