Infy Hackers Resurface: New Command-and-Control Servers Deployed Post-Iran Internet Blackout
The Iranian cyber espionage group known as Infy, also referred to as Prince of Persia, has recently reactivated its operations by establishing new command-and-control (C2) servers. This resurgence coincides with the conclusion of a nationwide internet blackout imposed by Iranian authorities in early January 2026.
On January 8, 2026, Infy ceased maintaining its C2 servers, marking the first such interruption since monitoring of their activities began. This date aligns with the onset of a country-wide internet shutdown in Iran, implemented in response to widespread protests. The simultaneous timing suggests that even government-affiliated cyber units were either unable or unwilling to conduct malicious activities during the blackout.
Activity resumed on January 26, 2026, when Infy set up new C2 servers, just a day before the Iranian government lifted internet restrictions. This sequence of events provides compelling evidence that Infy operates as a state-sponsored entity under Iranian backing.
Infy is among several state-sponsored hacking groups in Iran that engage in espionage, sabotage, and influence operations aligned with Tehran’s strategic interests. Notably, Infy has maintained a low profile since its inception in 2004, conducting targeted attacks aimed at individuals for intelligence gathering.
In December 2025, cybersecurity firm SafeBreach reported on Infy’s updated tactics, including the deployment of enhanced versions of their malware tools, Foudre and Tonnerre. The latter incorporated a Telegram bot, likely used for issuing commands and collecting data. The latest iteration, Tonnerre version 50, has been codenamed Tornado.
Between December 19, 2025, and February 3, 2026, further analysis revealed that Infy replaced the C2 infrastructure for all versions of Foudre and Tonnerre. They also introduced Tornado version 51, which utilizes both HTTP and Telegram for C2 communications.
Tornado version 51 employs two distinct methods to generate C2 domain names: a new domain generation algorithm (DGA) and fixed names using blockchain data de-obfuscation. This innovative approach likely offers greater flexibility in registering C2 domain names without necessitating updates to the Tornado version.
Evidence indicates that Infy has exploited a one-day security flaw in WinRAR (either CVE-2025-8088 or CVE‑2025‑6218) to deploy the Tornado payload on compromised hosts. This shift in attack vector aims to enhance the success rate of their campaigns. Specially crafted RAR archives were uploaded to the VirusTotal platform from Germany and India in mid-December 2025, suggesting targeted attacks in these countries.
The RAR file contains a self-extracting archive (SFX) with two files:
– AuthFWSnapin.dll: The main Tornado version 51 DLL.
– reg7989.dll: An installer that checks for the presence of Avast antivirus software. If Avast is not installed, it creates a scheduled task for persistence and executes the Tornado DLL.
Tornado communicates with the C2 server over HTTP to download and execute the main backdoor and collect system information. When using Telegram as the C2 method, Tornado employs the bot API to exfiltrate system data and receive additional commands.
In version 50, the malware utilized a Telegram group named سرافراز (translating to sarafraz, meaning proudly) featuring the Telegram bot @ttestro1bot and a user with the handle @ehsan8999100. In the latest version, a different user, @Ehsan66442, has replaced the previous handle.
Notably, the bot member of the Telegram group lacks permissions to read the group’s chat messages. On December 21, the original user @ehsan8999100 was added to a new Telegram channel named Test, which had three subscribers. The purpose of this channel remains unclear, but it is presumed to be used for command and control over compromised machines.
SafeBreach successfully extracted all messages within the private Telegram group, gaining access to all exfiltrated Foudre and Tonnerre files since February 16, 2025. This included 118 files and 14 shared links containing encoded commands sent to Tonnerre by the threat actor. Analysis of this data led to two significant findings:
1. A malicious ZIP file that deploys ZZ Stealer, which loads a custom variant of the StormKitty infostealer.
2. A strong correlation between the ZZ Stealer attack chain and a campaign targeting the Python Package Index (PyPI) repository with a package named testfiwldsd21233s. This package is designed to drop a previous iteration of ZZ Stealer and exfiltrate data through the Telegram bot API.
Additionally, a potential, albeit weaker, correlation exists between Infy and Charming Kitten (also known as Educated Manticore) due to the use of ZIP and Windows Shortcut (LNK) files, as well as a PowerShell loader technique.
ZZ Stealer appears to function as a first-stage malware (similar to Foudre), initially collecting environmental data, capturing screenshots, and exfiltrating all desktop files. Upon receiving the command 8==3 from the C2 server, it downloads and executes the second-stage malware, also referred to by the threat actor as 8==3.
