The elusive Iranian threat group known as Infy (aka Prince of Persia) has evolved its tactics as part of efforts to hide its tracks, even as it readied new command-and-control (C2) infrastructure coinciding with the end of the widespread internet blackout the regime imposed at the start of January 2026.
“The threat actor stopped maintaining its C2 servers on January 8 for the first time since we began monitoring their activities,” Tomer Bar, vice president of security research at SafeBreach, said in a report shared with The Hacker News.
“This was the same day a country-wide internet shutdown was imposed by Iranian authorities in response to recent protests, which likely suggests that even government-affiliated cyber units did not have the ability or motivation to carry out malicious activities within Iran.”
The cybersecurity company said it observed renewed activity on January 26, 2026, as the hacking crew set up new C2 servers, one day before the Iranian government relaxed internet restrictions within the country. The development is significant, not least because it offers concrete evidence that the adversary is state-sponsored and backed by Iran.
Infy is just one of many state-sponsored hacking groups operating out of Iran that conduct espionage, sabotage, and influence operations aligned with Tehran’s strategic interests. But it’s also one of the oldest and lesser-known groups that has managed to stay under the radar, not attracting attention and operating quietly since 2004 through “laser-focused” attacks aimed at individuals for intelligence gathering.
In a report published in December 2025, SafeBreach disclosed new tradecraft associated with the threat actor, including the use of updated versions of Foudre and Tonnerre, with the latter employing a Telegram bot likely for issuing commands and collecting data. The latest version of Tonnerre (version 50) has been codenamed Tornado.
Continued visibility into the threat actor’s operations between December 19, 2025, and February 3, 2026, has uncovered that the attackers have taken the step of replacing the C2 infrastructure for all versions of Foudre and Tonnerre, along with introducing Tornado version 51 that uses both HTTP and Telegram for C2.
“It uses two different methods to generate C2 domain names: first, a new DGA algorithm and then fixed names using blockchain data de-obfuscation,” Bar said. “This is a unique approach that we assume is being used to provide greater flexibility in registering C2 domain names without the need to update the Tornado version.”
There are also signs that Infy has weaponized a 1-day security flaw in WinRAR (either CVE-2025-8088 or CVE‑2025‑6218) to extract the Tornado payload on a compromised host. The change in attack vector is seen as a way to increase the success rate of its campaigns. The specially-crafted RAR archives were uploaded to the VirusTotal platform from Germany and India in mid-December 2025, suggesting the two countries may have been targeted.
Present within the RAR file is a self-extracting archive (SFX) that contains two files –
- AuthFWSnapin.dll, the main Tornado version 51 DLL
- reg7989.dll, an installer that first checks if Avast antivirus software is not installed, and if yes, creates a scheduled task for persistence and executes the Tornado DLL
Tornado establishes communication with the C2 server over HTTP to download and execute the main backdoor and harvest system information. If Telegram is chosen as the C2 method, Tornado uses the bot API to exfiltrate system data and receive more commands.
It’s worth noting that version 50 of the malware used a Telegram group named سرافراز (literally translates to “sarafraz,” meaning proudly) that featured the Telegram bot “@ttestro1bot” and a user with the handle “@ehsan8999100.” In the latest version, a different user called “@Ehsan66442” has been added in place of the latter.
“As before, the bot member of the Telegram group still doesn’t have permissions to read the group’s chat messages,” Bar said. “On December 21, the original user @ehsan8999100 was added to a new Telegram channel named Test that had three subscribers. The goal of this channel is still unknown, but we assume it is being used for command and control over the victim’s machines.”
SafeBreach said it managed to extract all messages within the private Telegram group, enabling access to all exfiltrated Foudre and Tonnerre files since February 16, 2025, including 118 files and 14 shared links containing encoded commands sent to Tonnerre by the threat actor. An analysis of this data has led to two crucial discoveries –
- A malicious ZIP file that drops ZZ Stealer, which loads a custom variant of the StormKitty infostealer
- A “very strong correlation” between the ZZ Stealer attack chain and a campaign targeting the Python Package Index (PyPI) repository with a package named “testfiwldsd21233s” that’s designed to drop a previous iteration of ZZ Stealer and exfiltrate the data through the Telegram bot API
- A “weaker potential correlation” between Infy and Charming Kitten (aka Educated Manticore) owing to the use of ZIP and Windows Shortcut (LNK) files, and a PowerShell loader technique
“ZZ Stealer appears to be a first-stage malware (like Foudre) that first collects environmental data, screenshots, and exfiltrates all desktop files,” SafeBreach explained. “In addition, upon receiving the command ‘8==3’ from the C2 server, it will download and execute the second-stage malware also named by the threat actor as ‘8==3.'”
