Iranian Infy APT Resurfaces with Advanced Malware Tactics After Years of Inactivity
After a prolonged period of dormancy, the Iranian Advanced Persistent Threat (APT) group known as Infy, or Prince of Persia, has re-emerged with sophisticated cyber operations targeting entities across multiple countries. This resurgence, identified by cybersecurity researchers at SafeBreach, highlights the group’s continued evolution and persistent threat in the cyber espionage landscape.
Historical Context and Previous Activities
Infy is among the oldest known APT actors, with its activities tracing back to December 2004. Unlike other Iranian cyber groups such as Charming Kitten, MuddyWater, and OilRig, Infy has maintained a relatively low profile, making it a particularly elusive adversary. Historically, the group has employed two primary malware strains:
1. Foudre: A downloader and victim profiler designed to infiltrate systems and gather preliminary data.
2. Tonnerre: A second-stage implant deployed by Foudre to extract sensitive information from compromised machines.
These tools have been predominantly distributed through phishing emails, a common tactic among cyber espionage groups.
Recent Developments and Malware Enhancements
In recent findings, SafeBreach uncovered a covert campaign by Infy targeting victims in Iran, Iraq, Turkey, India, Canada, and various European countries. This campaign utilizes updated versions of their malware:
– Foudre Version 34: This iteration has transitioned from using macro-laced Microsoft Excel files to embedding executables within documents, enhancing its ability to bypass traditional security measures.
– Tonnerre Versions 12-18 and 50: The latest version, detected in September 2025, includes advanced features such as communication with specific Telegram groups for command-and-control (C2) operations.
Advanced Command-and-Control Mechanisms
A notable advancement in Infy’s tactics is the implementation of a domain generation algorithm (DGA) to bolster the resilience of their C2 infrastructure. This technique allows the malware to generate and connect to a series of domain names, complicating efforts to disrupt their operations.
Furthermore, both Foudre and Tonnerre now incorporate mechanisms to verify the authenticity of their C2 domains. They achieve this by downloading an RSA signature file, decrypting it using a public key, and comparing it with a locally stored validation file. This process ensures that the malware communicates only with legitimate C2 servers, thereby enhancing operational security.
Infrastructure Insights and Operational Security
Analysis of Infy’s C2 infrastructure revealed several directories with specific functions:
– Key Directory: Utilized for C2 validation processes, ensuring secure communication channels.
– Download Directory: Suspected to be used for downloading and upgrading malware versions, indicating a structured approach to maintaining and updating their tools.
These findings underscore the group’s commitment to maintaining a robust and adaptable infrastructure to support their cyber espionage activities.
Integration with Telegram for Command-and-Control
The latest version of Tonnerre introduces a mechanism to interact with a Telegram group named سرافراز (meaning proudly in Persian) through the C2 server. This group comprises:
– @ttestro1bot: A Telegram bot likely used to issue commands and collect data from infected machines.
– @ehsan8999100: A user account potentially involved in overseeing operations.
While the use of messaging apps for C2 is not uncommon, Infy’s method of storing Telegram group information in a file named tga.adr within a directory called t on the C2 server is particularly noteworthy. Access to this file is restricted to a specific list of victim GUIDs, indicating a targeted approach to their operations.
Historical Malware Variants and Evolution
SafeBreach’s research also uncovered older variants of Infy’s malware used between 2017 and 2020, including:
– Amaq News Finder: A version of Foudre disguised to download and execute malware.
– MaxPinner: A trojan downloaded by Foudre version 24 DLL, designed to spy on Telegram content.
– Deep Freeze: Similar to Amaq News Finder, used to infect victims with Foudre.
– Rugissement: An unknown malware variant, indicating the group’s continuous development of new tools.
These discoveries highlight Infy’s ongoing efforts to refine their malware arsenal and adapt to changing cybersecurity landscapes.
Implications and Broader Context
The resurgence of Infy coincides with analyses of other Iranian cyber groups, such as Charming Kitten, which operates with a level of precision akin to government departments. This suggests a coordinated and strategic approach to cyber espionage by Iranian state-sponsored actors.
The re-emergence of Infy serves as a stark reminder of the persistent and evolving threats posed by nation-state actors in cyberspace. Organizations worldwide must remain vigilant, continuously updating their security protocols to defend against such sophisticated adversaries.
