Iran's Infy APT Drops Tornado v51 After Internet Blackout

The Iranian state-sponsored group known as Infy — also tracked as Prince of Persia — deployed a new malware variant called Tornado v51 in late January after pausing operations during Iran's nationwide internet shutdown. SafeBreach researchers say the timing provides some of the strongest evidence yet that Infy operates under direct Iranian government coordination.

TL;DR

• What happened: Infy APT launched Tornado v51 with dual HTTP/Telegram C2 and blockchain-based domain generation
• Who's affected: Government entities, dissidents, and organizations in Germany, India, and historically targeted Middle Eastern countries
• Severity: High — active nation-state espionage with upgraded evasion capabilities
• Action required: Review IOCs from SafeBreach's report and monitor for WinRAR exploit delivery chains

The Blackout Connection

Here's the timeline that matters. On January 8, 2026, Iran's government imposed a sweeping internet blackout across the country. That same day, SafeBreach observed Infy's operators stop maintaining their command-and-control infrastructure — for the first time since monitoring began. The C2 servers went dark in lockstep with the country's internet.

On January 26, one day before Iranian authorities relaxed connectivity restrictions, the group spun up entirely new C2 servers. Operations resumed immediately.

That correlation isn't subtle. When your country's internet goes down and your cyber espionage operation goes down with it — and both come back online within 24 hours of each other — the state sponsorship question answers itself.

We covered Infy's initial resurgence back in December when SafeBreach first identified renewed activity after a five-year silence. This latest report represents a significant escalation in the group's capabilities.

What's New in Tornado v51

Between December 19, 2025, and February 3, 2026, Infy replaced the C2 infrastructure for all versions of its Foudre and Tonnerre malware families while simultaneously rolling out Tornado v51. The new variant introduces several technical upgrades over previous iterations.

Tornado v51 uses dual C2 channels — both traditional HTTP connections and Telegram bot integration. The Telegram channel lets operators receive commands and exfiltrate data without needing to update the malware itself, which reduces the operational footprint and makes detection harder.

The more interesting change is how Tornado generates its C2 domains. The malware employs two methods: a new domain generation algorithm (DGA) and fixed domain names derived through blockchain data de-obfuscation. The blockchain approach gives the operators flexibility to register new C2 domains without pushing malware updates to infected machines — a technique that's harder for defenders to preemptively block compared to traditional DGA patterns.

Delivery and Persistence

Infy is weaponizing WinRAR vulnerabilities — specifically CVE-2025-8088 and CVE-2025-6218 — to deliver Tornado payloads through crafted self-extracting RAR archives. The archives contain two files: AuthFWSnapin.dll (the main Tornado DLL) and reg7989.dll, an installer that checks for the presence of Avast antivirus before establishing persistence on the target system.

That Avast check is telling. It suggests Infy's operators have encountered enough targets running Avast to build specific evasion logic around it, which points to the kind of operational awareness that comes from sustained campaign experience.

SafeBreach also extracted communications from Telegram channels used by the group, revealing connections to ZZ Stealer — a first-stage infostealer that deploys StormKitty variants. Researchers noted a "weaker potential correlation" between Infy and Charming Kitten based on shared file techniques and PowerShell loaders, though the link isn't conclusive.

Why This Matters

Infy has been operating since at least 2004, making it one of the oldest known APT groups. Its primary mission has historically been surveillance of Iranian dissidents, government critics, and diplomatic targets. The group's resurgence in late 2025 after years of dormancy — and now this rapid tooling upgrade — suggests renewed operational tasking from Iranian intelligence services.

The mid-December uploads that SafeBreach observed originated from Germany and India, indicating the group's targeting scope extends well beyond the Middle East. For organizations with ties to Iranian dissident communities or diplomatic operations involving Iran, these developments warrant immediate attention.

The broader pattern of nation-state APTs adopting blockchain-based C2 infrastructure is worth tracking. It represents a shift toward more resilient, harder-to-disrupt command infrastructure that traditional domain takedowns can't easily neutralize. We've seen Chinese APT groups using similar infrastructure evasion across dozens of countries — the trend isn't limited to Iranian operators.

Recommended Mitigations

1. Block known IOCs from SafeBreach's latest report in your security tooling
2. Patch WinRAR to the latest version — CVE-2025-8088 and CVE-2025-6218 are actively weaponized
3. Monitor Telegram API traffic from endpoints that shouldn't be communicating with Telegram
4. Review DGA detection rules — the blockchain-based domain generation may evade traditional DGA detection heuristics
5. Hunt for RAR-based delivery chains delivering DLL payloads in self-extracting archives