top of page
Search

Iranian Infy APT Resurfaces with New Malware Activity Targeting Various Sectors

  • Dec 21, 2025
  • 2 min read

Key Findings


  • Iranian APT group Infy (aka Prince of Persia) has resurfaced with new malware campaigns after nearly 5 years of dormancy

  • The scale of Infy's current activity is significantly larger than previously assessed

  • The group has targeted victims across Iran, Iraq, Turkey, India, Canada, and parts of Europe

  • Infy's malware arsenal includes updated versions of the Foudre downloader and Tonnerre implant

  • Attack chains have evolved from macro-laced documents to embedded executables

  • Infy leverages a domain generation algorithm (DGA) and RSA signature validation to enhance C2 infrastructure resilience

  • Tonnerre now includes a mechanism to communicate with a Telegram group for C2 purposes


Background


  • Infy is one of the oldest known advanced persistent threat (APT) groups, with evidence of activity dating back to December 2004

  • The group has historically used two main malware strains - the Foudre downloader and the Tonnerre second-stage implant

  • Infy has managed to remain relatively elusive compared to other prominent Iranian threat actors like Charming Kitten, MuddyWater, and OilRig


Malware Evolution


  • Foudre (now at version 34) and Tonnerre (versions 12-18, 50) have been updated with new capabilities

  • Attack chains have shifted from macro-laced documents to embedding executables within Office files

  • Infy leverages DGA and RSA signature validation to enhance the resilience of its C2 infrastructure

  • Tonnerre now includes a mechanism to communicate with a Telegram group for additional C2 functionality


Targeted Regions and Sectors


  • Infy has targeted victims across Iran, Iraq, Turkey, India, Canada, and parts of Europe

  • The group's activities likely have geopolitical motivations, targeting organizations and individuals of strategic relevance


Ongoing Vigilance Recommended


  • Organizations previously targeted by Infy, or those with geopolitical relevance, should closely monitor threat intelligence and strengthen defensive measures

  • The resurgence of Infy's activities highlights the need for continuous vigilance against evolving state-sponsored cyber threats


Sources


  • https://thehackernews.com/2025/12/iranian-infy-apt-resurfaces-with-new.html

  • https://www.reddit.com/r/SecOpsDaily/comments/1przcfv/iranian_infy_apt_resurfaces_with_new_malware/

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page