Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends

Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends

Briefly

"The threat actor stopped maintaining its C2 servers on January 8 for the first time since we began monitoring their activities, Tomer Bar, vice president of security research at SafeBreach, said in a report shared with The Hacker News. This was the same day a country-wide internet shutdown was imposed by Iranian authorities in response to recent protests, which likely suggests that even government-affiliated cyber units did not have the ability or motivation to carry out malicious activities within Iran. The cybersecurity company said it observed renewed activity on January 26, 2026, as the hacking crew set up new C2 servers, one day before the Iranian government relaxed internet restrictions within the country. The development is significant, not least because it offers concrete evidence that the adversary is state-sponsored and backed by Iran."

"Infy is just one of many state-sponsored hacking groups operating out of Iran that conduct espionage, sabotage, and influence operations aligned with Tehran's strategic interests. But it's also one of the oldest and lesser-known groups that has managed to stay under the radar, not attracting attention and operating quietly since 2004 through "laser-focused" attacks aimed at individuals for intelligence gathering."

"In a report published in December 2025, SafeBreach disclosed new tradecraft associated with the threat actor, including the use of updated versions of Foudre and Tonnerre, with the latter employing a Telegram bot likely for issuing commands and collecting data. The latest version of Tonnerre (version 50) has been codenamed Tornado."