Iranian Cyber Espionage Group ‘Prince of Persia’ Resurfaces with Advanced Tactics Targeting Global Infrastructure
The Iranian state-sponsored cyber espionage group known as Prince of Persia has re-emerged, launching sophisticated attacks against critical infrastructure and private networks worldwide. Active since the early 2000s, this group has recently enhanced its technical capabilities, deploying updated malware variants designed to infiltrate organizational systems and exfiltrate sensitive information.
Evolution of Attack Methods
Traditionally, Prince of Persia relied on macro-enabled documents to initiate infections. However, their latest campaigns demonstrate a strategic shift towards using malicious Microsoft Excel files embedded with executables. These files are often disguised as routine administrative updates or regional news items, crafted to evade standard antivirus detection mechanisms. When a victim opens the file, it triggers a self-extracting archive that silently installs the Foudre backdoor, establishing an initial foothold within the compromised network.
Advanced Malware Deployment
Security analysts at SafeBreach have identified this renewed activity after a three-year dormancy period. Their research highlights the group’s transition to more resilient operational security practices, utilizing distinct malware families—Foudre and Tonnerre—with advanced capabilities for persistence and data theft. The investigation also uncovered a specific persona, Ehsan, suggesting centralized and human-operated management of the campaign’s infrastructure.
Technical Analysis of Infection and Command-and-Control Communication
The technical sophistication of this campaign is evident in the deployment of Foudre v34 and Tonnerre v50. Foudre v34 employs a complex multi-stage loading process where a loader DLL, identified as `Conf8830.dll`, executes a specific exported function named `f8qb1355`. This function calls a disguised DLL file, `d232`, which masquerades as an MP4 video file to deceive both users and automated security tools.
Upon successful execution, the malware establishes persistence and initiates communication with command-and-control (C2) servers using a generated domain name. The Domain Generation Algorithm (DGA) logic is particularly distinct, dividing the process into two phases. The first phase calculates a CRC32 checksum based on a date-formatted string, such as `LOS1{}{}{}.format(date.year, date.month, weeknumber)`. The second phase transforms this output into a unique eight-character hostname. Furthermore, the Tonnerre v50 variant introduces a unique redirection mechanism involving Telegram. Instead of traditional FTP protocols, the malware communicates with a Telegram bot to receive commands.
The C2 communication relies on specific HTTP GET requests to validate victim machines. Foudre v34 sends a unique identifier to the server using the following structure:
`https://
This granular control allows the attackers to selectively upgrade or remove infections, ensuring their operations remain undetected while maintaining long-term access to high-value targets.
Implications and Recommendations
The resurgence of Prince of Persia with enhanced tactics underscores the persistent threat posed by nation-state actors to global critical infrastructure. Organizations are advised to implement robust cybersecurity measures, including regular software updates, employee training on phishing tactics, and deployment of advanced threat detection systems. Collaboration with cybersecurity experts and sharing threat intelligence can further bolster defenses against such sophisticated adversaries.
