CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Infy APT Resurfaces with Updated Malware and Expanded Targeting

First reported
Last updated
1 unique sources, 2 articles

Summary

Hide ▲

The Iranian APT group Infy (Prince of Persia) has resumed activity after years of silence, targeting victims in Iran, Iraq, Turkey, India, Canada, and Europe. The group has updated its malware tools Foudre and Tonnerre, employing new techniques such as domain generation algorithms (DGA) and Telegram for command-and-control (C2) communication. The campaign highlights the group's continued relevance and sophistication in cyber espionage. The latest findings reveal that Infy has been active since at least 2004, leveraging malware like Foudre and Tonnerre to profile and exfiltrate data from high-value machines. The group's recent activities include using updated versions of Foudre (version 34) and Tonnerre (versions 12-18, 50), with the latest Tonnerre version detected in September 2025. Infy stopped maintaining its C2 servers on January 8, 2026, coinciding with an internet blackout in Iran, and resumed activity on January 26, 2026, setting up new C2 servers the day before internet restrictions were relaxed. The group has introduced Tornado version 51, which uses both HTTP and Telegram for C2 communication, and has weaponized a 1-day security flaw in WinRAR to extract the Tornado payload on a compromised host. Additionally, Infy has used a malicious ZIP file to drop ZZ Stealer, which loads a custom variant of the StormKitty infostealer, and there is a strong correlation between the ZZ Stealer attack chain and a campaign targeting the Python Package Index (PyPI) repository.

Timeline

  1. 21.12.2025 06:22 2 articles · 1mo ago

    Infy APT Resurfaces with Updated Malware and Expanded Targeting

    Infy (Prince of Persia) has resumed activity after nearly five years of silence, targeting victims in Iran, Iraq, Turkey, India, Canada, and Europe. The group has updated its malware tools Foudre and Tonnerre, employing new techniques such as domain generation algorithms (DGA) and Telegram for command-and-control (C2) communication. The campaign highlights the group's continued relevance and sophistication in cyber espionage. Infy stopped maintaining its C2 servers on January 8, 2026, coinciding with an internet blackout in Iran, and resumed activity on January 26, 2026, setting up new C2 servers the day before internet restrictions were relaxed. The group has introduced Tornado version 51, which uses both HTTP and Telegram for C2 communication, and has weaponized a 1-day security flaw in WinRAR to extract the Tornado payload on a compromised host. Additionally, Infy has used a malicious ZIP file to drop ZZ Stealer, which loads a custom variant of the StormKitty infostealer, and there is a strong correlation between the ZZ Stealer attack chain and a campaign targeting the Python Package Index (PyPI) repository.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Lotus Blossom Hacking Group Exploits Notepad++ Hosting Breach to Deploy Chrysalis Backdoor

The China-linked Lotus Blossom hacking group exploited a hosting provider breach to deliver a previously undocumented backdoor, Chrysalis, to Notepad++ users. The attack, which occurred between June and December 2025, involved hijacking update traffic and exploiting insufficient update verification controls in older versions of the software. The group used a multi-layered shellcode loader and integrated undocumented system calls to enhance stealth and resilience. The breach was discovered and mitigated in December 2025, with Notepad++ migrating to a new hosting provider and rotating all credentials. The Chrysalis backdoor is a feature-rich implant capable of gathering system information, executing commands, and maintaining persistence. It communicates with a command-and-control (C2) server to receive additional instructions. The C2 server is currently offline, but the malware's capabilities suggest ongoing development and adaptation by the threat actor.

Open in new tab

STAC6565 Targets Canadian Organizations with QWCrypt Ransomware

The threat activity cluster STAC6565, linked to Gold Blade (Earth Kapre, RedCurl, Red Wolf), has targeted Canadian organizations in 80% of its attacks between February 2024 and August 2025. The group, active since late 2018, initially focused on cyber espionage but has evolved to deploy QWCrypt ransomware. The campaign uses spear-phishing emails targeting HR personnel, leveraging legitimate job search platforms to deliver malicious documents. The group operates under a 'hack-for-hire' model, blending data theft with ransomware deployment. Sophos researchers noted that the group's operational tempo includes periods of inactivity followed by sudden spikes in attacks, indicating toolset refinement during downtime. The attacks involve sophisticated multi-stage malware delivery chains, including the use of RedLoader and custom tools like Terminator for disabling antivirus processes. Despite detection and mitigation efforts, three attacks resulted in successful QWCrypt deployment.

Open in new tab

Chinese State-Sponsored Group Exploits Windows Zero-Day in Espionage Campaign Against European Diplomats

A China-linked hacking group, UNC6384 (Mustang Panda), is exploiting a Windows zero-day vulnerability (CVE-2025-9491) to target European diplomats in Hungary, Belgium, Italy, the Netherlands, and Serbian government agencies. The campaign involves spearphishing emails with malicious LNK files to deploy the PlugX RAT and gain persistence on compromised systems. The attacks have broadened in scope to include diplomatic entities from Italy and the Netherlands. The zero-day vulnerability allows for remote code execution on targeted Windows systems, enabling the group to monitor diplomatic communications and steal sensitive data. Microsoft has not yet released a patch for this vulnerability, which has been heavily exploited by multiple state-sponsored groups and cybercrime gangs since March 2025. Microsoft has silently mitigated the vulnerability by changing LNK files in the November updates to display all characters in the Target field, not just the first 260. ACROS Security has also released an unofficial patch to limit shortcut target strings to 260 characters and warn users about potential dangers.

Open in new tab

MuddyWater Expands Campaign with MuddyViper Backdoor Targeting Israeli Entities

The MuddyWater threat actor, linked to Iran and also known as Static Kitten, Mercury, and Seedworm, has conducted a global phishing campaign targeting over 100 organizations, including government entities, embassies, diplomatic missions, foreign affairs ministries, consulates, international organizations, and telecommunications firms in the Middle East and North Africa (MENA) region. The campaign used compromised email accounts to send phishing emails with malicious Microsoft Word documents containing macros that dropped and launched the Phoenix backdoor, version 4. This backdoor provided remote control over infected systems. The campaign was active starting August 19, 2025, and used a command-and-control (C2) server registered under the domain screenai[.]online. The attackers employed three remote monitoring and management (RMM) tools and a custom browser credential stealer, Chromium_Stealer. The malware and tools were hosted on a temporary Python-based HTTP service linked to NameCheap's servers. The campaign highlights the ongoing use of trusted communication channels by state-backed threat actors to evade defenses and infiltrate high-value targets. The server and server-side command-and-control (C2) component were taken down on August 24, 2025, likely indicating a new stage of the attack. The MuddyWater threat actor has also targeted Israeli entities spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors. The hacking group has delivered a previously undocumented backdoor called MuddyViper. The attacks also singled out one technology company based in Egypt. The attack chains involve spear-phishing and the exploitation of known vulnerabilities in VPN infrastructure to infiltrate networks and deploy legitimate remote management tools. The campaign uses a loader named Fooder that decrypts and executes the C/C++-based MuddyViper backdoor. The MuddyViper backdoor enables the attackers to collect system information, execute files and shell commands, transfer files, and exfiltrate Windows login credentials and browser data. Additionally, the MuddyWater threat actor has deployed a new backdoor called UDPGangster that uses the User Datagram Protocol (UDP) for command-and-control (C2) purposes. The attack chain involves using spear-phishing tactics to distribute booby-trapped Microsoft Word documents that trigger the execution of a malicious payload once macros are enabled. The phishing messages impersonate the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs and purport to invite recipients to an online seminar titled "Presidential Elections and Results." The VBA script in the dropper file is equipped to conceal any sign of malicious activity by displaying a Hebrew-language decoy image from Israeli telecommunications provider Bezeq about supposed disconnection periods in the first week of November 2025 across various cities in the country. UDPGangster establishes persistence through Windows Registry modifications and boasts of various anti-analysis checks to resist efforts made by security researchers to take it apart. UDPGangster connects to an external server ("157.20.182[.]75") over UDP port 1269 to exfiltrate collected data, run commands using "cmd.exe," transmit files, update C2 server, and drop and execute additional payloads. The MuddyWater threat actor has launched a new campaign targeting diplomatic, maritime, financial, and telecom entities in the Middle East with a Rust-based implant codenamed RustyWater. The campaign uses icon spoofing and malicious Word documents to deliver Rust-based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion. The RustyWater implant gathers victim machine information, detects installed security software, sets up persistence by means of a Windows Registry key, and establishes contact with a command-and-control (C2) server (nomercys.it[.]com) to facilitate file operations and command execution. The RustyWater implant is also referred to as Archer RAT and RUSTRIC. The use of RUSTRIC was previously flagged by Seqrite Labs as part of attacks targeting IT, MSPs, human resources, and software development companies in Israel. Historically, MuddyWater has relied on PowerShell and VBS loaders for initial access and post-compromise operations, but the introduction of Rust-based implants represents a notable tooling evolution toward more structured, modular, and low noise RAT capabilities.

Open in new tab

Path Traversal Vulnerability in WinRAR Actively Exploited by Multiple Threat Actors

A path traversal vulnerability in WinRAR (CVE-2025-8088, CVSS 8.8) is being actively exploited in the wild. The flaw allows arbitrary code execution by crafting malicious archive files. The vulnerability affects Windows versions of WinRAR, RAR, UnRAR, portable UnRAR source code, and UnRAR.dll. The issue was discovered by researchers from ESET and addressed in WinRAR version 7.13, released on July 30, 2025. Multiple threat actors, including Paper Werewolf, RomCom, UNC4895, APT44, TEMP.Armageddon, Turla, and China-linked actors, have exploited this vulnerability to target various organizations. A new threat actor called Amaranth Dragon, linked to APT41 state-sponsored Chinese operations, has also exploited the CVE-2025-8088 vulnerability in espionage attacks on government and law enforcement agencies in Singapore, Thailand, Indonesia, Cambodia, Laos, and the Philippines. The attacks involve phishing emails with malicious archives that, when opened, exploit the vulnerability to write files outside the intended directory and achieve code execution. The payloads include a .NET loader that sends system information to an external server and receives additional malware. Financially motivated actors are also exploiting the flaw to distribute commodity remote access tools and information stealers. Google Threat Intelligence Group (GTIG) revealed that multiple threat actors, including nation-state adversaries and financially motivated groups, are exploiting the WinRAR vulnerability CVE-2025-8088. The exploit chain often involves concealing the malicious file within the alternate data streams (ADS) of a decoy file inside the archive, causing the payload to be extracted to a specific path (e.g., the Windows Startup folder) and automatically executing it once the user logs in to the machine after a restart.

Open in new tab