"The group has also managed to remain elusive, attracting little attention, unlike other Iranian groups such as Charming Kitten, MuddyWater, and OilRig. Attacks mounted by the group have prominently leveraged two strains of malware: a downloader and victim profiler named Foudre that delivers a second-stage implant called Tonnerre to extract data from high-value machines. It's assessed that Foudre is distributed via phishing emails."
"The latest findings from SafeBreach have uncovered a covert campaign that has targeted victims across Iran, Iraq, Turkey, India, and Canada, as well as Europe, using updated versions of Foudre (version 34) and Tonnerre (versions 12-18, 50). The latest version of Tonnerre was detected in September 2025. The attack chains have also witnessed a shift from a macro-laced Microsoft Excel file to embedding an executable within such documents to install Foudre."
"Threat hunters have discerned new activity associated with an Iranian threat actor known as Infy (aka Prince of Persia), nearly five years after the hacking group was observed targeting victims in Sweden, the Netherlands, and Turkey. "The scale of Prince of Persia's activity is more significant than we originally anticipated," Tomer Bar, vice president of security research at SafeBreach, said in a technical breakdown shared with The Hacker News. "This threat group is still active, relevant, and dangerous." Infy is one of the oldest advanced persistent threat (APT) actors in existence, with evidence of early activity dating all the way back to December 2004, according to a report released by Palo Alto Networks Unit 42 in May 2016 that was also authored by Bar, along with researcher Simon Conant."
Threat hunters discerned renewed activity by Iranian APT Infy (Prince of Persia) nearly five years after earlier targeting in Sweden, the Netherlands, and Turkey. The group's activity exceeds prior expectations and remains dangerous. Infy traces back to at least December 2004 and has stayed relatively low-profile compared to other Iranian actors. The actor uses Foudre, a downloader and victim profiler, to deploy Tonnerre implants for data extraction. Recent campaigns used Foudre v34 and Tonnerre v12-18 and v50 across Iran, Iraq, Turkey, India, Canada, and Europe, with the latest Tonnerre seen in September 2025. Attackers shifted from macro-laced Excel to embedding executables in documents and employ a domain generation algorithm to harden C2 infrastructure, while malware artifacts validate C2 authenticity.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]