Unveiling the Shadow: Iran's Infy Hackers Resurface with a New Twist
In a move that has cybersecurity experts buzzing, the enigmatic Iranian hacking group Infy, also known as Prince of Persia, has reemerged from the shadows with a fresh set of tactics. This development comes hot on the heels of Iran's recent internet blackout, raising eyebrows and sparking questions about the group's motivations and capabilities.
The Cat-and-Mouse Game
SafeBreach, a leading cybersecurity firm, has been closely monitoring Infy's activities. They noticed a significant pause in the group's operations on January 8, 2026, coinciding with Iran's nationwide internet shutdown. Tomer Bar, Vice President of Security Research at SafeBreach, commented, "This suggests that even government-affiliated cyber units were either unable or unwilling to continue their malicious activities during this period."
But here's where it gets controversial: Infy's silence didn't last long. On January 26, 2026, just as Iran began to relax its internet restrictions, the hacking crew sprang back into action, setting up new command-and-control (C2) servers. This swift response indicates a well-coordinated and state-sponsored operation, leaving little doubt about Iran's involvement.
The Elusive Infy: A Brief History
Infy is one of many state-sponsored hacking groups operating out of Iran, but it stands out for its longevity and stealth. Operating since 2004, Infy has managed to stay under the radar, focusing on "laser-focused" attacks aimed at individuals for intelligence gathering. This group's tactics are a prime example of how cyber espionage can be conducted with precision and discretion.
In December 2025, SafeBreach published a report detailing Infy's updated tradecraft. They revealed the use of advanced malware variants, Foudre and Tonnerre, with the latter employing a Telegram bot for command and control. The latest version, codenamed Tornado, has been a key focus of Infy's recent activities.
Unraveling the Tornado: A Deep Dive
Continued surveillance of Infy's operations between December 2025 and February 2026 has uncovered some intriguing developments. The group has replaced the C2 infrastructure for all versions of Foudre and Tonnerre, introducing Tornado version 51, which utilizes both HTTP and Telegram for command and control. Tomer Bar explains, "It employs a unique approach, using a new DGA algorithm and blockchain data de-obfuscation to generate C2 domain names, providing greater flexibility without the need for frequent updates."
There's more. Infy appears to have exploited a 1-day security flaw in WinRAR (CVE-2025-8088 or CVE‑2025‑6218) to deliver the Tornado payload. This change in attack vector is a clever move, potentially increasing the success rate of their campaigns. The specially-crafted RAR archives, uploaded in mid-December 2025, suggest that Infy may have targeted two specific countries.
Upon infection, the Tornado malware establishes communication with the C2 server over HTTP, downloading and executing the main backdoor to harvest system information. If Telegram is used, Tornado employs the bot API to exfiltrate data and receive further commands. In the latest version, a new user, "@Ehsan66442," has been added to the Telegram group, replacing the previous user, "@ehsan8999100."
"The bot member still lacks permissions to read group chat messages," Bar notes. "We believe the new Telegram channel, 'Test,' with its three subscribers, is being used for command and control over compromised machines."
Uncovering the Connections: Infy's Web of Influence
SafeBreach's analysis of the exfiltrated Foudre and Tonnerre files has led to some intriguing discoveries. They found a malicious ZIP file that drops ZZ Stealer, an infostealer that loads a custom variant of StormKitty. This attack chain bears a strong correlation with a campaign targeting the Python Package Index (PyPI) repository, suggesting a potential link between Infy and the hacking group Charming Kitten (aka Educated Manticore).
"ZZ Stealer appears to be a first-stage malware, collecting environmental data and screenshots before exfiltrating desktop files. Upon receiving the command '8==3' from the C2 server, it downloads and executes the second-stage malware, also named '8==3' by the threat actor," SafeBreach explains.
The Bigger Picture: State-Sponsored Cyber Warfare
Infy's resurgence and advanced tactics highlight the evolving nature of state-sponsored cyber warfare. As nations increasingly rely on digital infrastructure, the threat of cyber espionage and sabotage looms large. This case study underscores the need for robust cybersecurity measures and international cooperation to counter such threats.
What are your thoughts on this evolving cyber landscape? Do you think Infy's activities will continue to escalate, and how can we better protect ourselves against such sophisticated threats? We'd love to hear your insights in the comments below!
