The elusive Iranian threat group known as Infy (also tracked as Prince of Persia) has evolved its tactics and deployed new command-and-control infrastructure, resuming operations precisely when Iran’s government-imposed internet blackout ended in late January 2026.
Operational Timeline Reveals State Sponsorship
According to SafeBreach researchers, Infy’s C2 servers went offline on January 8, 2026—the same day Iran’s government imposed a nationwide internet shutdown in response to domestic protests. Activity resumed on January 26, 2026, just one day before internet restrictions were eased.
“This was the same day a country-wide internet shutdown was imposed by Iranian authorities in response to recent protests, which likely suggests that even government-affiliated cyber units did not have the ability or motivation to carry out malicious activities within Iran,” said Tomer Bar, Vice President of Security Research at SafeBreach.
This operational pattern provides concrete evidence of state sponsorship, demonstrating that Infy’s operators were directly impacted by the same infrastructure controls affecting all Iranian citizens.
New Tornado Malware Variant Deployed
Between December 2025 and February 2026, SafeBreach observed Infy deploying Tornado version 51, an evolution of their Tonnerre malware family. Key technical enhancements include:
- Dual C2 Channels: Uses both HTTP and Telegram for command-and-control, providing redundancy
- Novel Domain Generation: Implements a new DGA algorithm combined with blockchain data de-obfuscation for C2 domain names
- Greater Operational Flexibility: The blockchain approach allows registering new C2 domains without malware updates
WinRAR Exploit Weaponized for Delivery
Infy has weaponized a 1-day vulnerability in WinRAR (CVE-2025-8088 or CVE-2025-6218) to deliver Tornado payloads. Malicious RAR archives uploaded to VirusTotal from Germany and India in mid-December 2025 suggest active targeting of these regions.
The attack chain involves:
- Specially-crafted RAR archive exploiting the vulnerability
- Self-extracting archive (SFX) containing two malicious DLLs
- reg7989.dll – Installer that checks for Avast antivirus and creates persistence via scheduled task
- AuthFWSnapin.dll – Main Tornado version 51 backdoor
Connection to ZZ Stealer Campaign
SafeBreach’s analysis of exfiltrated data from Infy’s Telegram group revealed a connection to ZZ Stealer, a custom variant of the StormKitty infostealer. Researchers also identified a correlation with a malicious PyPI package named “testfiwldsd21233s” designed to distribute an earlier ZZ Stealer iteration.
Additionally, there exists a “weaker potential correlation” between Infy and Charming Kitten (Educated Manticore) based on similar techniques involving ZIP files, Windows Shortcut (LNK) files, and PowerShell loaders.
Two Decades of Quiet Espionage
Infy stands apart from other Iranian APT groups due to its remarkably low profile since 2004. Unlike more aggressive groups like Charming Kitten or APT33, Infy conducts “laser-focused” attacks aimed at specific individuals for intelligence gathering, deliberately avoiding the broad campaigns that attract security researcher attention.
Indicators of Compromise and Recommendations
Organizations should monitor for:
- Telegram API communications to unusual bot endpoints
- Scheduled tasks creating persistence for unknown DLLs
- WinRAR exploitation attempts (especially CVE-2025-8088/CVE-2025-6218)
- Network connections to newly-registered domains with blockchain-derived names
For detailed IOCs and technical analysis, refer to SafeBreach’s full report.
Source: The Hacker News
