top of page
Search

Iranian Infy APT Resurfaces with New Malware Activity Targeting Various Sectors

  • Dec 21, 2025
  • 2 min read

Key Findings


  • Iranian APT group Infy (aka Prince of Persia) has resurfaced with new malware campaigns after nearly 5 years of dormancy

  • The scale of Infy's current activity is significantly larger than previously assessed

  • The group has targeted victims across Iran, Iraq, Turkey, India, Canada, and parts of Europe

  • Infy's malware arsenal includes updated versions of the Foudre downloader and Tonnerre implant

  • Attack chains have evolved from macro-laced documents to embedded executables

  • Infy leverages a domain generation algorithm (DGA) and RSA signature validation to enhance C2 infrastructure resilience

  • Tonnerre now includes a mechanism to communicate with a Telegram group for C2 purposes


Background


  • Infy is one of the oldest known advanced persistent threat (APT) groups, with evidence of activity dating back to December 2004

  • The group has historically used two main malware strains - the Foudre downloader and the Tonnerre second-stage implant

  • Infy has managed to remain relatively elusive compared to other prominent Iranian threat actors like Charming Kitten, MuddyWater, and OilRig


Malware Evolution


  • Foudre (now at version 34) and Tonnerre (versions 12-18, 50) have been updated with new capabilities

  • Attack chains have shifted from macro-laced documents to embedding executables within Office files

  • Infy leverages DGA and RSA signature validation to enhance the resilience of its C2 infrastructure

  • Tonnerre now includes a mechanism to communicate with a Telegram group for additional C2 functionality


Targeted Regions and Sectors


  • Infy has targeted victims across Iran, Iraq, Turkey, India, Canada, and parts of Europe

  • The group's activities likely have geopolitical motivations, targeting organizations and individuals of strategic relevance


Ongoing Vigilance Recommended


  • Organizations previously targeted by Infy, or those with geopolitical relevance, should closely monitor threat intelligence and strengthen defensive measures

  • The resurgence of Infy's activities highlights the need for continuous vigilance against evolving state-sponsored cyber threats


Sources


  • https://thehackernews.com/2025/12/iranian-infy-apt-resurfaces-with-new.html

  • https://www.reddit.com/r/SecOpsDaily/comments/1przcfv/iranian_infy_apt_resurfaces_with_new_malware/

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page