Infy (also known as Prince of Persia) is a persistent Iranian nation-state threat actor active since at least 2007. After a period of apparent dormancy starting in 2022, the group has resurfaced in late 2025 with a sophisticated new campaign. Intelligence confirms the group has retooled its arsenal to evade modern detection, continuing its long-standing mission of surveillance and espionage aligned with Iranian state interests.

Victimology

The group’s targeting remains consistent with state-aligned espionage, focusing on high-value intelligence targets.

• Primary Geographies: Iran, Iraq, Turkey, India, Canada, and Europe.
• Targeted Sectors:
  • Government Entities: Espionage against foreign state agencies.
  • Dissidents: Monitoring of political opposition and activists.
  • Critical Infrastructure: Reconnaissance and potential pre-positioning.

Tactics, Techniques, and Procedures (TTPs)

1. Initial Access & Infection Chain

• Vector: Spear-phishing emails containing malicious Microsoft Excel attachments.
• Evolution: Unlike previous campaigns that relied solely on macros, the new campaign embeds a Self-Extracting Archive (SFX) directly within the Excel file.
• Execution Flow:
  1. User opens the Excel file.
  2. The file drops a temporary payload named ccupdate.tmp.
  3. This payload executes the SFX archive, which deploys a malicious DLL loader (Conf8830.dll) and a decoy MP4 video file to minimize suspicion.

2. Malware Arsenal: Foudre and Tonnerre

The group continues to use its signature malware pair, now significantly upgraded.

• Foudre (Lightning) v34:
  • Acts as the initial reconnaissance and loader implant.
  • New DGA: Implements a two-tiered Domain Generation Algorithm (DGA) to dynamically generate C2 domains, complicating takedown efforts.
  • Validation: Downloads a signature file signed with an RSA private key to verify the authenticity of the C2 server before receiving further commands.
• Tonnerre (Thunder) v50:
  • Deployed as a second-stage implant for high-value targets.
  • Telegram C2: For the first time, Tonnerre uses the Telegram API for Command and Control. It communicates with a specific bot (@ttestro1bot) to receive commands and exfiltrate data, blending malicious traffic with legitimate encrypted messaging traffic.
  • Stealth: Capable of self-deletion upon receiving a specific “kill” command from the C2.

3. Infrastructure & Resilience

• C2 Rotation: The group frequently rotates Command and Control servers, utilizing diverse Top-Level Domains (TLDs) such as .site, .hbmc.net, and .ix.tc.
• Network Obfuscation: Traffic is often tunneled or disguised to look like standard web or messaging activity.

Indicators of Compromise (IOCs)

File Artifacts

• Dropped Files: ccupdate.tmp, Conf8830.dll, tga.adr (Telegram configuration file).
• Decoy: MP4 video files dropped in %TEMP% directories.

Network Indicators

• C2 Domains:
  • *.hbmc.net
  • *.ix.tc
  • *.privatedns.org
• Telegram Entities:
  • Bot Handle: @ttestro1bot
  • Admin Handle: @ehsan8999100

Behavioral Indicators

• Process Execution: Excel (excel.exe) spawning unexpected child processes or dropping DLLs into the %TEMP% folder.
• Network: Unexpected HTTPS traffic to Telegram API endpoints (api.telegram.org) from non-user workstations or servers.