If you’ve ever thought a cyberespionage group disappears simply because it’s no longer making headlines, Infy—also known as Prince of Persia—is a clear warning: in cybersecurity, silence doesn’t mean inactivity. Quite the opposite.
After nearly five years without media noise, this historic Iranian APT group is back with new campaigns, upgraded malware, and a more resilient infrastructure.
At TecnetOne, we see this resurgence not just as a technical update, but as a strategic lesson for any organization that assumes “old” threats no longer matter.
Infy is no ordinary actor. It is one of the oldest documented APTs, with evidence of activity dating back to 2004. While other Iranian groups like Charming Kitten, MuddyWater, or OilRig gained more media attention, Infy remained a silent threat.
Its strength has always been discretion. While others chase impact, Infy has specialized in prolonged, selective, and quiet operations focused on high-value targets.
From 2022 onward, Infy seemed to vanish. But new research from SafeBreach proves the group never stopped evolving. It simply went quiet while refining its tools, infrastructure, and evasion tactics.
Between 2023 and 2025, Infy launched new active campaigns targeting:
This broad geographic scope confirms that these aren’t isolated incidents—they represent sustained global cyberespionage.
Read more: How to Detect and Remove Spyware Apps on Android
Infy's operations still revolve around two known malware families:
The latest versions of Foudre (v34) and Tonnerre (v12–18, v50) show major improvements in persistence, infrastructure validation, and remote control. Already stealthy in the past, they’re now even harder to detect.
One major evolution is Infy's initial access method. The group has dropped the old tactic of using malicious Excel macros and now embeds executables inside seemingly legitimate files.
This shift avoids macros—now more often blocked by default—and increases phishing success rates, which remains the primary delivery method for Foudre.
The message is clear: this group adapts quickly to defensive advancements.
One of Infy’s most advanced upgrades is the use of Domain Generation Algorithms (DGA). This allows the malware to dynamically create command-and-control (C2) domains, making them much harder to block or take down.
But it doesn’t stop there. Both Foudre and Tonnerre include cryptographic validation systems that ensure they only communicate with genuine attacker domains, using:
If validation fails, the malware doesn’t communicate—reducing sinkholing risks or third-party interference.
SafeBreach's analysis revealed a structured C2 infrastructure, with server directories such as:
This setup shows a well-organized and long-term espionage infrastructure—not something slapped together for short-term gain.
The latest version of Tonnerre can also communicate via a private Telegram group named سرافراز (“proud” in Persian). Here, two entities interact:
But not all victims get access to this channel. Only select unique GUIDs can download the file containing Telegram data, indicating tight segmentation and access control—further limiting visibility to researchers.
SafeBreach also identified older malware linked to Infy (from 2017–2020), including:
This confirms Infy operates with a reusable malware ecosystem—common in mature, state-backed threat actors.
You might also be interested in: U.S. Warns of Iranian Cyberattacks After Joining the Conflict
Infy’s reappearance coincides with new revelations about groups like Charming Kitten and Moses Staff. Research shows many Iranian APTs share infrastructure, tools, and even administrative models, functioning more like separate departments within a single cyber organization than independent collectives.
Iranian cyberespionage is structured more like a state-backed apparatus than a patchwork of lone operators.
Infy’s return teaches several critical lessons:
At TecnetOne, we emphasize this often: effective defense means looking back as well as forward. Ignoring legacy threats is a mistake.
Infy proves that in cybersecurity, no one retires. A group that seemed inactive is back with stronger malware, smarter infrastructure, and more refined techniques.
If your security strategy only addresses the latest headlines, you’re leaving yourself vulnerable to adversaries who’ve spent over a decade mastering the art of digital espionage.
Continuous monitoring, behavioral analysis, and historical threat awareness are no longer optional. They’re the only way to stay ahead of threats that never really left.