Iranian state-sponsored group Infy returns to cyber operations with updated malware infrastructure following nationwide internet shutdown, revealing sophisticated evasion tactics and potential links to other espionage campaigns.
The Iranian threat group known as Infy, also referred to as Prince of Persia, has resumed its cyber operations with new command-and-control infrastructure following the end of a nationwide internet blackout in Iran. The group's activities provide further evidence of state sponsorship and reveal evolving tactics designed to evade detection.
Internet Blackout Coincides with Operational Pause
The cybersecurity firm SafeBreach first observed a significant change in Infy's behavior on January 8, 2026, when the group stopped maintaining its C2 servers for the first time since monitoring began. This pause coincided exactly with the internet shutdown imposed by Iranian authorities in response to recent protests.
"The threat actor stopped maintaining its C2 servers on January 8 for the first time since we began monitoring their activities," said Tomer Bar, vice president of security research at SafeBreach. "This was the same day a country-wide internet shutdown was imposed by Iranian authorities in response to recent protests, which likely suggests that even government-affiliated cyber units did not have the ability or motivation to carry out malicious activities within Iran."
The timing strongly indicates that Infy operates as a state-sponsored entity, as their operations were directly affected by government-imposed internet restrictions.
Resumption of Activities with Enhanced Infrastructure
Following the relaxation of internet restrictions on January 25, 2026, SafeBreach observed renewed activity from Infy on January 26. The group established new C2 servers and introduced updated versions of their malware arsenal.
Infy has been operating since 2004, making it one of the oldest Iranian cyber espionage groups. Unlike more prominent Iranian hacking collectives, Infy has maintained a low profile through "laser-focused" attacks targeting individuals for intelligence gathering rather than high-profile operations.
Evolution of Malware Capabilities
The group's primary malware tools include Foudre and Tonnerre, with the latter employing Telegram bots for command and control. The latest iteration, Tornado (version 50), has been upgraded to version 51, which introduces several significant changes:
- Dual C2 methods using both HTTP and Telegram
- New domain generation algorithm (DGA) for creating C2 domain names
- Fixed names using blockchain data de-obfuscation
- Enhanced flexibility in registering C2 domains without requiring malware updates
"It uses two different methods to generate C2 domain names: first, a new DGA algorithm and then fixed names using blockchain data de-obfuscation," Bar explained. "This is a unique approach that we assume is being used to provide greater flexibility in registering C2 domain names without the need to update the Tornado version."
Exploitation of WinRAR Vulnerability
Evidence suggests Infy has weaponized a recently disclosed WinRAR vulnerability to deliver their payloads. The group appears to be exploiting either CVE-2025-8088 or CVE-2025-6218, both of which are 1-day security flaws in the popular file compression software.
The attack chain involves specially crafted RAR archives uploaded to VirusTotal in mid-December 2025. These archives contain self-extracting files that deploy the Tornado malware through a sophisticated installation process.
Technical Analysis of the Attack Chain
The RAR file contains two critical components:
- AuthFWSnapin.dll - The main Tornado version 51 DLL
- reg7989.dll - An installer that performs initial checks and persistence setup
The installer first verifies whether Avast antivirus software is installed on the target system. If Avast is not detected, it creates a scheduled task for persistence and executes the Tornado DLL.
Tornado establishes communication with its C2 server over HTTP to download and execute the main backdoor while harvesting system information. When using Telegram as the C2 method, Tornado leverages the bot API to exfiltrate system data and receive additional commands.
Telegram Infrastructure Changes
The group has modified its Telegram infrastructure between versions. Version 50 of the malware used a Telegram group named سرافراز ("sarafraz," meaning proudly) featuring the bot "@ttestro1bot" and a user with the handle "@ehsan8999100."
In the latest version, the user "@Ehsan66442" has replaced the previous handle. Notably, the bot member of the Telegram group still lacks permissions to read the group's chat messages.
"On December 21, the original user @ehsan8999100 was added to a new Telegram channel named Test that had three subscribers," Bar noted. "The goal of this channel is still unknown, but we assume it is being used for command and control over the victim's machines."
Access to Telegram Communications
SafeBreach managed to extract all messages within the private Telegram group, providing unprecedented visibility into Infy's operations since February 16, 2025. This access revealed 118 files and 14 shared links containing encoded commands sent to Tonnerre by the threat actor.
Analysis of this data uncovered two crucial discoveries:
- A malicious ZIP file that drops ZZ Stealer, which loads a custom variant of the StormKitty infostealer
- A "very strong correlation" between the ZZ Stealer attack chain and a campaign targeting the Python Package Index (PyPI) repository with a package named "testfiwldsd21233s"
The PyPI package was designed to drop a previous iteration of ZZ Stealer and exfiltrate data through the Telegram bot API.
Potential Connections to Other Threat Groups
Researchers also identified a "weaker potential correlation" between Infy and Charming Kitten (also known as Educated Manticore). This connection is based on similarities in their use of ZIP and Windows Shortcut (LNK) files, as well as PowerShell loader techniques.
"ZZ Stealer appears to be a first-stage malware (like Foudre) that first collects environmental data, screenshots, and exfiltrates all desktop files," SafeBreach explained. "In addition, upon receiving the command '8==3' from the C2 server, it will download and execute the second-stage malware also named by the threat actor as '8==3.'"
The discovery of these connections suggests potential collaboration or shared resources among Iranian state-sponsored groups, though the exact nature of these relationships remains under investigation.
The Infy group's ability to adapt its infrastructure and tactics in response to external events like internet blackouts demonstrates the sophistication and resilience of state-sponsored cyber operations. Their focus on individual targeting for intelligence gathering, combined with their long operational history, makes them a significant but often overlooked threat in the landscape of Iranian cyber espionage.
Comments
Please log in or register to join the discussion