The covert Iranian threat actor Infy (also known as Prince of Persia) has adapted its tradecraft to better conceal activity, while simultaneously preparing fresh command‑and‑control (C2) infrastructure timed with the end of the nationwide internet shutdown imposed in early January 2026.
According to Tomer Bar, vice president of security research at SafeBreach, the group “stopped maintaining its C2 servers on January 8,” marking the first such pause observed since the company began tracking the operation. That date aligned with a countrywide internet blackout enforced by Iranian authorities amid recent protests, which Bar said likely indicates that even government-linked cyber units lacked either the capability or the motivation to conduct malicious operations inside Iran during the shutdown. SafeBreach observed activity resuming on January 26, 2026, when the operators stood up new C2 servers—one day before Iran eased its internet restrictions. The timing is notable, as it provides tangible evidence that the adversary is state-sponsored and supported by Iran.
Infy is one among several Iranian state-aligned groups engaged in espionage, sabotage, and influence operations that support Tehran’s objectives. It is also one of the oldest and least publicized, quietly operating since 2004 through “laser‑focused” intelligence-gathering campaigns aimed at specific individuals. In a December 2025 report, SafeBreach detailed updated tradecraft tied to Infy, including new versions of the Foudre and Tonnerre malware families, with Tonnerre leveraging a Telegram bot for command issuance and data collection. The latest Tonnerre build, version 50, carries the codename “Tornado.”
Ongoing monitoring from December 19, 2025, to February 3, 2026, shows the operators have rotated C2 infrastructure across all versions of Foudre and Tonnerre and introduced Tornado version 51, which supports both HTTP and Telegram-based C2. Bar noted that Tornado v51 “uses two different methods to generate C2 domain names: first, a new DGA algorithm, and then fixed names derived via blockchain data de‑obfuscation.” This unusual approach appears aimed at enabling flexible domain registration without pushing a new Tornado build each time.
There are also indicators that Infy exploited a 1‑day WinRAR vulnerability (either CVE‑2025‑8088 or CVE‑2025‑6218) to unpack and deploy the Tornado payload on compromised hosts—an adjustment intended to boost compromise rates. Specially crafted RAR files were uploaded to VirusTotal from Germany and India in mid‑December 2025, implying potential targeting in those countries.
The RAR package contains a self‑extracting archive (SFX) with two files:
- AuthFWSnapin.dll — the primary Tornado v51 DLL
- reg7989.dll — an installer that first checks for the absence of Avast antivirus; if not present, it creates a scheduled task for persistence and launches the Tornado DLL
Tornado communicates with its C2 via HTTP to retrieve and run the main backdoor and to collect host telemetry. When Telegram is used instead, Tornado relies on the bot API for data exfiltration and command reception. Notably, Tonnerre v50 was configured to use a Telegram group named سرافراز (transliterated “sarafraz,” meaning “proudly”), featuring the bot @ttestro1bot and a user handle @ehsan8999100. In the latest iteration, a different user, @Ehsan66442, appears in place of the latter.
“As before, the bot member of the Telegram group still lacks permission to read the group’s chat messages,” Bar said. “On December 21, the original user @ehsan8999100 was added to a new Telegram channel named Test with three subscribers. The purpose of this channel remains unclear, but we suspect it serves as a command-and-control conduit for infected machines.”
SafeBreach reported it was able to extract all messages from the private Telegram group, granting access to all Foudre and Tonnerre exfiltration dating back to February 16, 2025. This included 118 files and 14 shared links containing encoded commands sent to Tonnerre by the operators. Analysis yielded several key findings:
- A malicious ZIP that drops ZZ Stealer, which in turn loads a customized variant of the StormKitty infostealer.
- A strong link between the ZZ Stealer intrusion chain and a PyPI campaign using a package named testfiwldsd21233s, designed to deploy an earlier version of ZZ Stealer and exfiltrate data via the Telegram bot API.
- A weaker, potential overlap with Charming Kitten (aka Educated Manticore), based on shared use of ZIP and LNK lures and a PowerShell loader technique.
“ZZ Stealer appears to function as a first‑stage payload (akin to Foudre), initially harvesting environment details, screenshots, and all files from the desktop,” SafeBreach added. “Upon receiving the command ‘8==3’ from its C2, it retrieves and runs a second‑stage payload, which the operators also refer to as ‘8==3.’”
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
