Iranian Infy APT Resurfaces After Five Years with Telegram-Based C2

Researchers at SafeBreach have identified renewed activity from the Iranian threat actor known as Infy, also tracked as Prince of Persia. The group, one of the oldest APTs in existence with operations dating back to 2004, had been largely dormant since 2020. New campaigns observed between August and December 2025 show the actors deploying updated malware with enhanced evasion capabilities and a new Telegram-based command and control channel.

TL;DR

• What happened: Iranian APT Infy has resumed operations after five years of silence, deploying updated versions of Foudre and Tonnerre malware
• Who's affected: Government entities, dissidents, and critical infrastructure in Iran, Iraq, Turkey, India, Canada, and Europe
• Severity: High - State-sponsored espionage operation with advanced persistence capabilities
• Action required: Organizations in affected regions should review IOCs and monitor for the described TTPs

What is Infy (Prince of Persia)?

Infy ranks among the oldest known APT groups, with evidence of early activity traced to December 2004. That puts it in the same era as Turla and APT1. The group has historically targeted Iranian dissidents, government critics, and diplomatic entities, with operations aligned with Iranian state interests.

After Palo Alto's Unit 42 exposed and disrupted the group's infrastructure in 2016, Infy went quiet. The group resurfaced briefly around 2017-2020 before going dark again. This latest campaign marks their return with significantly updated tooling.

How Does the New Campaign Work?

The attack chain starts with Microsoft Excel files containing embedded executables. Earlier Infy campaigns relied on macro-based attacks, but the group has shifted tactics to embed executables directly within documents. When victims open these files, the malware installs Foudre, a downloader and victim profiling tool.

Foudre collects information about the infected system and determines whether the target is valuable enough to warrant further action. For high-value targets, it downloads Tonnerre, a second-stage implant designed for long-term data exfiltration.

SafeBreach identified Foudre version 34 and Tonnerre versions 12 through 18, plus version 50—the most recent variant detected in September 2025.

What's New with Tonnerre?

The most significant change appears in Tonnerre v50, which introduces Telegram as a command and control mechanism. For the first time since 2016, the malware redirects C2 communications through a Telegram group, using the Telegram API to send commands and receive exfiltrated data.

This shift away from FTP-based C2 makes the malware harder to detect. Telegram traffic blends with legitimate messaging app usage, and the platform's encryption makes content inspection difficult.

Researchers identified a specific Telegram user handle, @ehsan8999100, operating as an administrator alongside the bot. This user was active as recently as December 14, 2025. The Persian name and IP geolocation data pointing to Tehran and Mashhad reinforce the attribution to Iranian state interests.

What Makes This Malware Difficult to Detect?

Infy employs multiple layers of protection to evade security tools:

Domain Generation Algorithm (DGA): Foudre generates 100 potential C2 domain names each week using a DGA. The malware connects to domains sequentially and downloads signature files encrypted with the attacker's private key. Only domains with valid signatures become active C2 servers, making takedowns harder to execute.

RSA Signature Verification: The malware includes a public key and verifies C2 server authenticity before establishing connections. This prevents researchers from easily setting up sinkhole servers to monitor or disrupt the operation.

Self-Deletion Capability: Tonnerre can delete itself upon receiving specific commands, reducing forensic artifacts available to incident responders.

Evasion of AV Detection: SafeBreach reports that most antivirus engines fail to detect the embedded executables as of December 2025. The malware's compilation and packing techniques appear designed to evade static analysis.

Who Are the Targets?

The campaign has targeted victims across multiple regions:

• Iran (domestic surveillance of dissidents)
• Iraq
• Turkey
• India
• Canada
• Various European countries

Target profiles include government entities, telecommunications organizations, and individuals connected to dissident movements. The geographic spread and target selection align with Iran's historical intelligence priorities.

Why This Matters

Prince of Persia's return demonstrates that even long-dormant threat actors can resume operations with updated capabilities. The five-year gap gave the group time to develop new evasion techniques and modernize their C2 infrastructure.

The shift to Telegram-based C2 is particularly concerning. Threat actors increasingly abuse legitimate platforms for command and control, making network-based detection more difficult. Organizations can't simply block Telegram without disrupting legitimate business communications.

For organizations in the affected regions—particularly those with connections to Iranian politics, diplomatic relations, or dissident communities—this campaign warrants immediate attention.

Frequently Asked Questions

Is my organization likely to be targeted by Infy?

Infy primarily targets government entities, diplomatic missions, telecommunications companies, and individuals involved in Iranian dissident movements. If your organization operates in the Middle East, South Asia, or has connections to Iranian affairs, you face elevated risk.

What should I do first?

Review SafeBreach's published indicators of compromise and search for evidence of the Foudre or Tonnerre malware in your environment. Pay particular attention to unusual Excel files with embedded executables and Telegram API traffic from unexpected systems.

How can I detect Telegram-based C2 activity?

Monitor for Telegram API connections from systems that shouldn't be using the platform. Server infrastructure, specialized workstations, and systems in sensitive network segments making Telegram connections warrant investigation.