The elusive Iranian risk group often known as Infy (aka Prince of Persia) has advanced its techniques as a part of efforts to cover its tracks, even because it readied new command-and-control (C2) infrastructure coinciding with the top of the widespread web blackout the regime imposed firstly of January 2026.
“The risk actor stopped sustaining its C2 servers on January 8 for the primary time since we started monitoring their actions,” Tomer Bar, vp of security analysis at SafeBreach, mentioned in a report shared with The Hacker Information.
“This was the identical day a country-wide web shutdown was imposed by Iranian authorities in response to current protests, which seemingly means that even government-affiliated cyber models didn’t have the flexibility or motivation to hold out malicious actions inside Iran.”
The cybersecurity firm mentioned it noticed renewed exercise on January 26, 2026, because the hacking crew arrange new C2 servers, sooner or later earlier than the Iranian authorities relaxed web restrictions throughout the nation. The event is critical, not least as a result of it provides concrete proof that the adversary is state-sponsored and backed by Iran.
Infy is only one of many state-sponsored hacking teams working out of Iran that conduct espionage, sabotage, and affect operations aligned with Tehran’s strategic pursuits. However it’s additionally one of many oldest and lesser-known teams that has managed to remain underneath the radar, not attracting consideration and working quietly since 2004 by means of “laser-focused” assaults geared toward people for intelligence gathering.
In a report revealed in December 2025, SafeBreach disclosed new tradecraft related to the risk actor, together with using up to date variations of Foudre and Tonnerre, with the latter using a Telegram bot seemingly for issuing instructions and accumulating information. The newest model of Tonnerre (model 50) has been codenamed Twister.
Continued visibility into the risk actor’s operations between December 19, 2025, and February 3, 2026, has uncovered that the attackers have taken the step of changing the C2 infrastructure for all variations of Foudre and Tonnerre, together with introducing Twister model 51 that makes use of each HTTP and Telegram for C2.
“It makes use of two completely different strategies to generate C2 domains: first, a brand new DGA algorithm after which fastened names utilizing blockchain information de-obfuscation,” Bar mentioned. “This can be a distinctive method that we assume is getting used to supply larger flexibility in registering C2 domains with out the necessity to replace the Twister model.”
There are additionally indicators that Infy has weaponized a 1-day security flaw in WinRAR (both CVE-2025-8088 or CVE‑2025‑6218) to extract the Twister payload on a compromised host. The change in assault vector is seen as a strategy to enhance the success charge of its campaigns. The specially-crafted RAR archives have been uploaded to the VirusTotal platform from Germany and India in mid-December 2025, suggesting the 2 international locations could have been focused.
Current throughout the RAR file is a self-extracting archive (SFX) that incorporates two information –
- AuthFWSnapin.dll, the primary Twister model 51 DLL
- reg7989.dll, an installer that first checks if Avast antivirus software program just isn’t put in, and if sure, creates a scheduled activity for persistence and executes the Twister DLL
Twister establishes communication with the C2 server over HTTP to obtain and execute the primary backdoor and harvest system info. If Telegram is chosen because the C2 methodology, Twister makes use of the bot API to exfiltrate system information and obtain extra instructions.
It is value noting that model 50 of the malware used a Telegram group named سرافراز (actually interprets to “sarafraz,” which means proudly) that featured the Telegram bot “@ttestro1bot” and a person with the deal with “@ehsan8999100.” Within the newest model, a unique person referred to as “@Ehsan66442” has been added rather than the latter.
“As earlier than, the bot member of the Telegram group nonetheless does not have permissions to learn the group’s chat messages,” Bar mentioned. “On December 21, the unique person @ehsan8999100 was added to a brand new Telegram channel named Check that had three subscribers. The purpose of this channel continues to be unknown, however we assume it’s getting used for command and management over the sufferer’s machines.”
SafeBreach mentioned it managed to extract all messages throughout the non-public Telegram group, enabling entry to all exfiltrated Foudre and Tonnerre information since February 16, 2025, together with 118 information and 14 shared hyperlinks containing encoded instructions despatched to Tonnerre by the risk actor. An evaluation of this information has led to 2 essential discoveries –
- A malicious ZIP file that drops ZZ Stealer, which hundreds a customized variant of the StormKitty infostealer
- A “very robust correlation” between the ZZ Stealer assault chain and a marketing campaign concentrating on the Python Bundle Index (PyPI) repository with a bundle named “testfiwldsd21233s” that is designed to drop a earlier iteration of ZZ Stealer and exfiltrate the info by means of the Telegram bot API
- A “weaker potential correlation” between Infy and Charming Kitten (aka Educated Manticore) owing to using ZIP and Home windows Shortcut (LNK) information, and a PowerShell loader method
“ZZ Stealer seems to be a first-stage malware (like Foudre) that first collects environmental information, screenshots, and exfiltrates all desktop information,” SafeBreach defined. “As well as, upon receiving the command ‘8==3’ from the C2 server, it would obtain and execute the second-stage malware additionally named by the risk actor as ‘8==3.'”
