Threat hunters have spotted new activity linked to an Iranian threat actor Infi (aka Prince of Persia), nearly five years later the hacking group was spotted targeting victims in Sweden, the Netherlands and Türkiye.
“The scale of Prince of Persia’s activity is much more significant than we originally anticipated,” Tomer Bar, vice president of security research at SafeBreach, said in a technical brief shared with The Hacker News. “This threat group is still active, relevant, and dangerous.”
Infi is one of the oldest advanced persistent threat (APT) actors in existence, according to a report released by Palo Alto Networks Unit 42 in May 2016, with initial activity dating back to December 2004, which Barr also co-authored with researcher Simon Conant.
Unlike other Iranian groups such as Charming Kitten, Muddywater and Oilrig, the group has also managed to remain elusive, attracting little attention. The attacks carried out by the group have primarily leveraged two strains of malware: a downloader named Foudre and a victim profiler that provides a second-stage implant called Tonrere to extract data from high-value machines. It has been assessed that Foudre is distributed via phishing emails.
SafeBreach’s latest findings have revealed a covert campaign that targeted victims in Iran, Iraq, Turkey, India and Canada, as well as Europe, using updated versions of Foudre (version 34) and Tonnerre (versions 12-18, 50). The latest version of Tonrere was found in September 2025.
Attack chains to install Foudre have also seen a shift from a macro-laced Microsoft Excel file to embedding an executable within such documents. Perhaps the most notable aspect of the threat actor’s modus operandi is its use of a domain generation algorithm (DGA) to make its command-and-control (C2) infrastructure more flexible.
Additionally, the Foudre and Tonnerre artifacts are known to verify whether a C2 domain is authentic by downloading an RSA signature file, which the malware decrypts using the public key and compares with a locally stored verification file.
SafeBreach’s analysis of the C2 infrastructure also revealed a directory named “keys” that is used for C2 authentication, along with other folders for storing communication logs and exfiltrated files.
“Every day, Foudre downloads a dedicated signature file encrypted with an RSA private key by the threat actor and then uses RSA validation with an embedded public key to verify that this domain is an approved domain,” Barr said. “The format of the request is:
‘https://<डोमेन नाम>/Key/<डोमेन नाम>
A “Downloads” directory also exists in the C2 server whose current purpose is unknown. It is suspected that it is used to download and upgrade to a new version.
On the other hand, the latest version of Tonnerre includes a mechanism to contact the Telegram group (named “سرافراز,” which means “proudly” in Persian) through the C2 server. The group has two members: a Telegram bot “@ttestro1bot” that is presumably used to issue commands and collect data, and a user with the handle “@ehsan8999100”.
Although the use of messaging apps for C2 is not unusual, what is notable is that information about Telegram groups is stored in a file called “tga.adr” within a directory called “t” in the C2 server. It’s worth noting that the download of the “tga.adr” file can only be triggered for a specific list of victim GUIDs.
Other earlier variants used in Foudre campaigns between 2017 and 2020 have also been discovered by the cybersecurity company –
- A version of Foudre was disguised as Amaq News Finder to download and execute malware
- A new version of the Trojan called MaxSpinner that has been downloaded by Foudre version 24 DLL to spy on Telegram content
- A form of malware called Deep Freeze, similar to Amaq News Finder, is used to infect victims with Foudre
- An unknown malware called Rugisement
“Despite the threat of darkness in 2022, Prince of Persia threat actors have done exactly the opposite,” Safebreach said. “Our ongoing research campaign into this prolific and elusive group has shed light on important details about their activities over the past three years, the C2 servers, and the malware variants identified.”
The revelations come as DomainTools’ ongoing analysis of the Charming Kitten leak paints a picture of a hacking group that operates like a government department, while carrying out “espionage operations with clerical precision”. The threat actor behind the Moses Staff persona has also been exposed.
“APT35, the same administrative machine that runs Tehran’s long-term credential-phishing operations, also runs the logistics that operate Moses Staff’s ransomware theater,” the company said.
“Hacktivists and government cyber-units are believed to share not only tooling and goals, but also the same accounts-payable systems. The propaganda branch and the espionage branch are two products of the same workflow: different “projects” under the same internal ticketing arrangement.
