Threat hunters have identified renewed activity by an Iranian threat actor known as Infy, or Prince of Persia, nearly five years after earlier operations against targets in Sweden, the Netherlands and Turkey. Tomer Bar, vice president of security research at SafeBreach, said the group remains active and dangerous, and a Palo Alto Networks Unit 42 report traces its activity back to December 2004.
Researchers say the group has long relied on two main malware families: Foudre, described as a downloader and victim profiler, and Tonnerre, a second-stage implant used to extract data from high-value machines. Foudre is assessed to be distributed via phishing emails.
SafeBreach’s latest analysis uncovered a covert campaign that targeted victims in Iran, Iraq, Turkey, India and Canada as well as in Europe, using updated versions of Foudre (version 34) and multiple Tonnerre variants (versions 12–18 and 50). The most recent Tonnerre sample was detected in September 2025, and investigators observed a shift from macro-laced Microsoft Excel files to executables embedded within documents to install Foudre.
Investigators noted the actor uses a domain generation algorithm to make command-and-control infrastructure more resilient. Foudre and Tonnerre artifacts validate C2 domains by downloading an RSA signature file, decrypting it with a public key embedded in the malware and comparing it with a locally stored validation file. Analysts found a C2 directory named “key” used for validation and other folders for communication logs and exfiltrated files, and identified a separate “download” directory whose precise role is unclear.
The latest Tonnerre builds include a mechanism that can contact a Telegram group named “سرافراز” (“proudly” in Persian) via the C2 server. The group is listed as having two members: a Telegram bot [@ttestro1bot] and a user [@ehsan8999100]. Details about the Telegram group are stored in a file named “tga.adr” on the C2 server, and the download of that file appears to be triggered only for a specific list of victim GUIDs.
SafeBreach also documented older variants used in Foudre campaigns between 2017 and 2020, including samples masquerading as Amaq News Finder, a trojan named MaxPinner used to monitor Telegram content, a Deep Freeze variant and an unknown sample called Rugissement. DomainTools’ continued analysis of leaked materials has portrayed other Iranian operations as tightly managed; the company said some operations resemble government departments in structure and logistics.