Iranian Infy APT Resurfaces with New Malware Activity After Years of Silence
These articles are AI-generated summaries. Please check the original sources for full details.
Iranian Infy APT Resurfaces with New Malware Activity After Years of Silence
The Iranian threat actor known as Infy (aka Prince of Persia) has resumed operations after nearly five years of dormancy, utilizing updated versions of its Foudre and Tonnerre malware to target victims in multiple countries. SafeBreach researchers identified the group’s latest campaign, which began in September 2025, demonstrating the actor remains active and dangerous.
Why This Matters
Nation-state actors pose a significant threat due to their persistent and sophisticated tactics, often bypassing conventional security measures. The cost of a successful compromise by an APT group can range from intellectual property theft valued in the millions to critical infrastructure disruption, highlighting the need for proactive threat hunting and robust defenses. Ideal security models assume rapid detection and containment; however, APTs like Infy specialize in long-term, stealthy surveillance, making detection extremely challenging.
Key Insights
- Infy’s history dates back to 2004: Evidence of the group’s activity was first observed in December 2004 (Palo Alto Networks Unit 42, 2016).
- DGAs for C2 resilience: Infy employs Domain Generation Algorithms (DGAs) to create a resilient command-and-control (C2) infrastructure, making it difficult to disrupt communications.
- Telegram integration: The latest Tonnerre version leverages a Telegram group for command issuance and data collection, demonstrating adaptation to readily available communication platforms.
Working Example
# Example of RSA signature verification (conceptual - actual implementation is within the malware)
from cryptography.rsa import verify
from cryptography.hazmat.primitives import hashes
# Assume 'signature' is the downloaded RSA signature file content
# Assume 'public_key' is the embedded public key
# Assume 'data' is the locally stored validation file content
try:
verify(
data,
signature,
public_key
)
print("Signature is valid.")
except Exception as e:
print(f"Signature verification failed: {e}")Practical Applications
- Use Case: Iranian intelligence agencies utilize Infy to conduct targeted surveillance of dissidents and academics, gathering intelligence on political and social movements.
- Pitfall: Relying solely on signature-based detection is ineffective against APTs like Infy, which regularly update their malware and employ techniques to evade traditional security controls.
References:
Continue reading
Next article
MapStruct Null Values Handling
Related Content
Transparent Tribe APT Launches New Cyber-Espionage Attacks Against India
Transparent Tribe (APT36) is deploying advanced RATs via malicious LNK files in a sustained cyber-espionage campaign targeting Indian government and academic institutions.
WIRTE APT Leverages AshenLoader Sideloading for AshTag Espionage Campaign
WIRTE expands AshTag espionage operations, targeting Middle Eastern governments and diplomatic entities, resulting in persistent intelligence-gathering attacks.
DPRK's Konni APT Uses AI-Generated Backdoor to Target Blockchain Developers
North Korean threat group Konni is leveraging AI to create a sophisticated PowerShell backdoor, targeting blockchain developers in the APAC region to steal cryptocurrency.