gTRrgN xwVMohu

Iranian APT Targeting Networks and Critical Infrastructure Organizations

A new wave of sophisticated malware campaigns has been launched by Iranian state-sponsored threat actors, targeting critical infrastructure organizations worldwide. These threat actors, known as the “Prince of Persia” (also referred to as Infy) Advanced Persistent Threat (APT) group, had been thought to be dormant but have resurfaced with a significant overhaul of their operational security and tooling.

A recent research report released by SafeBreach Labs reveals that the group has broken a three-year silence, during which they retooled and revamped their tactics. As of September 2025, the group has been observed deploying new malware variants, Tonnerre v50 and Foudre v34, in parallel campaigns.

Active since the early 2000s, the group had seemingly vanished in 2022 following public exposure. However, new evidence confirms that they spent this period retooling and updating their tactics. The most significant shift in their approach is the abandonment of traditional File Transfer Protocol (FTP) methods for Command and Control (C2) communication.

Instead, the group has pivoted to using Telegram, a legitimate encrypted messaging platform, to evade detection. This shift to Telegram C2 has allowed the group to maintain a low profile while continuing to carry out their malicious activities.

The Shift to Telegram C2

The new Tonnerre v50 malware redirects infected machines to a Telegram group named “سرافراز” (Sarafraz), which translates to “Proudly.” SafeBreach Labs has been tracking the Prince of Persia group since 2019 and has continued to monitor their activities, even after they appeared to go dark in 2022.

Timeline of the malware development process.
Timeline of the malware development process.

The threat actors utilize a Telegram bot to issue commands and exfiltrate victim data via the Telegram API. Researchers have identified a specific user handle, @ehsan8999100, operating alongside the bot as an administrator. This user, likely one of the Iranian hackers behind the operation, was observed to be active as recently as December 14, 2025.

The use of a Persian name and consistent IP geolocation data pointing to cities like Tehran and Mashhad reinforces the attribution to Iranian state interests. Alongside the shift to Telegram, the group has updated its primary loader, Foudre v34. The infection vector has evolved from simple macro-laden documents to Microsoft Excel files containing embedded executables.

Foudre v34.
Foudre v34.

These files, such as “Notable Martyrs.zip,” are designed to bypass antivirus detection and drop the malware payload. The group is also employing complex new Domain Generation Algorithms (DGA) to maintain resilient C2 infrastructure.

  • Tonnerre v50 uses an unknown DGA generating 13-character domains ending in.privatedns.org.
  • Foudre v34 utilizes a two-step DGA process, generating 10 or 12-character domains on TLDs like.site and.ix.tc.

“Testing” vs. “Production” Infrastructure

The investigation uncovered a massive infrastructure network, distinguishing between “testing” servers used for development and “production” servers targeting real victims. Security professionals are advised to monitor network traffic for the identified DGA patterns and unusual Telegram API requests, as the “Prince of Persia” has proven they are not only active but more dangerous than before.

DGA algorithm.
DGA algorithm.

The scale of activity is significantly larger than previously estimated, with the group running multiple campaigns simultaneously. While the majority of identified victims remain Iranian dissidents, the group’s targeting of global networks and critical infrastructure demonstrates a broadened scope.

The ability to maintain “unprecedented visibility” into these operations has allowed researchers to map out the group’s C2 structure, providing defenders with critical Indicators of Compromise (IoCs) to block these emerging threats.

Related Articles

Back to top button