A technical analysis by SafeBreach said the Iranian threat group Infy stopped maintaining its command and control servers on January 8, 2026 and set up new C2 infrastructure on January 26, 2026.
KEY FACTS
- Incident New C2 servers established on January 26, 2026
- Pause C2 maintenance ceased on January 8, 2026
- Malware Tornado version 51 uses HTTP and Telegram for C2
- Delivery Weaponized WinRAR SFX observed in mid-December 2025
Infy halted C2 maintenance on January 8 during a countrywide internet outage and resumed activity by creating new command and control servers on January 26, 2026.
The actor replaced the C2 infrastructure for all tracked versions of Foudre and Tonnerre and introduced Tornado version 51, which can communicate over HTTP and via the Telegram bot API. The malware uses two methods to generate C2 domain names, combining a new domain generation algorithm with fixed names derived through blockchain data de-obfuscation.
Operators were observed delivering Tornado inside self-extracting RAR archives that contain AuthFWSnapin.dll and an installer reg7989.dll. The installer checks for Avast antivirus, creates a scheduled task for persistence when appropriate, and executes the Tornado DLL. Samples uploaded to public analysis services originated from Germany and India in mid-December 2025.
Extracted Telegram group data included 118 files and links. Among the items was a ZIP that drops ZZ Stealer, a custom variant of StormKitty, and evidence linking a malicious PyPI package named testfiwldsd21233s to earlier ZZ Stealer distribution. A possible but weaker correlation with another Iranian actor was noted based on shared file and loader techniques.
WHY IT MATTERS
The timing of the infrastructure changes and the use of dual communication channels increase the resilience and stealth of Infy operations. The combination of a 1-day WinRAR flaw and Telegram based exfiltration raises the risk to targeted environments and supply chain repositories.