The Iranian cyber espionage group, Infy, has resurfaced with a new strategy, marking a significant development in the world of cybersecurity. But what makes this group so elusive and dangerous?
After a period of silence during Iran's recent internet blackout, Infy, also known as Prince of Persia, has resumed operations with a twist. Security researchers at SafeBreach discovered that the group ceased maintaining its command-and-control (C2) servers on January 8, 2026, coinciding with the country's internet shutdown. This move suggests a potential connection between Infy and the Iranian government, as even government-affiliated cyber units were inactive during this time.
But here's where it gets intriguing: Infy's activities resumed on January 26, just as the Iranian government lifted internet restrictions. The group deployed new C2 servers, showcasing their adaptability and determination. This development provides compelling evidence of Infy's state-sponsored nature, backed by the Iranian regime.
Infy is a veteran in the world of cyber espionage, operating since 2004, yet it has managed to maintain a low profile. They specialize in highly targeted attacks, focusing on individuals for intelligence gathering. This group is one of many state-sponsored hacking collectives originating from Iran, each with its own unique tactics and objectives.
In December 2025, SafeBreach revealed Infy's updated toolkit, including new versions of Foudre and Tonnerre malware. The latter employs a Telegram bot for command and control, with the latest version, Tornado (v50), offering enhanced capabilities. The group has since replaced the C2 infrastructure for these tools and introduced Tornado v51, which utilizes both HTTP and Telegram for communication.
Infy's ingenuity shines through in their domain name generation. They employ a novel approach, using a new DGA algorithm and blockchain data de-obfuscation to generate C2 domain names, ensuring flexibility and stealth. Additionally, they've exploited a security flaw in WinRAR to extract the Tornado payload, demonstrating their adaptability in attack vectors.
The RAR file contains a self-extracting archive with two components: the Tornado v51 DLL and an installer. This installer checks for the presence of Avast antivirus and, if absent, creates a scheduled task for persistence, executing the Tornado DLL. Tornado then communicates with the C2 server to download and run the backdoor, harvesting system information.
The Telegram group used by Infy, named سرافراز (Sarafraz), includes a bot and a user. Interestingly, the bot lacks permission to read group messages, adding a layer of secrecy. The group's activities have led to the discovery of a malicious ZIP file containing ZZ Stealer, which deploys a custom StormKitty infostealer. Furthermore, there's a potential link between Infy and another Iranian group, Charming Kitten, based on their use of similar techniques.
ZZ Stealer, a first-stage malware, collects data and screenshots, exfiltrating desktop files. Upon receiving a specific command from the C2 server, it downloads and executes a second-stage malware, further compromising the target system.
This evolving threat landscape underscores the importance of staying vigilant and adapting security measures. Infy's ability to operate under the radar for so long and their innovative use of Telegram and blockchain technology highlight the challenges faced by cybersecurity professionals. As the digital arms race continues, understanding and countering such sophisticated threat actors is crucial for safeguarding sensitive information and critical infrastructure.
