Infy APT Resurfaces with Updated Malware and Expanded Targeting

First reported

21.12.2025 06:22

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

The Iranian APT group Infy (Prince of Persia) has resumed activity after years of silence, targeting victims in Iran, Iraq, Turkey, India, Canada, and Europe. The group has updated its malware tools Foudre and Tonnerre, employing new techniques such as domain generation algorithms (DGA) and Telegram for command-and-control (C2) communication. The campaign highlights the group's continued relevance and sophistication in cyber espionage. The latest findings reveal that Infy has been active since at least 2004, leveraging malware like Foudre and Tonnerre to profile and exfiltrate data from high-value machines. The group's recent activities include using updated versions of Foudre (version 34) and Tonnerre (versions 12-18, 50), with the latest Tonnerre version detected in September 2025.

Timeline

21.12.2025 06:22 1 articles · 23h ago

Infy APT Resurfaces with Updated Malware and Expanded Targeting
Infy (Prince of Persia) has resumed activity after nearly five years of silence, targeting victims in Iran, Iraq, Turkey, India, Canada, and Europe. The group has updated its malware tools Foudre and Tonnerre, employing new techniques such as domain generation algorithms (DGA) and Telegram for command-and-control (C2) communication. The campaign highlights the group's continued relevance and sophistication in cyber espionage.
Show sources

Iranian Infy APT Resurfaces with New Malware Activity After Years of Silence — thehackernews.com — 21.12.2025 06:22
Open in new tab

Information Snippets

Infy (Prince of Persia) has resumed activity after nearly five years of silence.
First reported: 21.12.2025 06:22

1 source, 1 article
Show sources
- Iranian Infy APT Resurfaces with New Malware Activity After Years of Silence — thehackernews.com — 21.12.2025 06:22
The group is targeting victims in Iran, Iraq, Turkey, India, Canada, Europe, and other regions.
First reported: 21.12.2025 06:22

1 source, 1 article
Show sources
- Iranian Infy APT Resurfaces with New Malware Activity After Years of Silence — thehackernews.com — 21.12.2025 06:22
Infy uses updated versions of Foudre (version 34) and Tonnerre (versions 12-18, 50).
First reported: 21.12.2025 06:22

1 source, 1 article
Show sources
- Iranian Infy APT Resurfaces with New Malware Activity After Years of Silence — thehackernews.com — 21.12.2025 06:22
The latest version of Tonnerre was detected in September 2025.
First reported: 21.12.2025 06:22

1 source, 1 article
Show sources
- Iranian Infy APT Resurfaces with New Malware Activity After Years of Silence — thehackernews.com — 21.12.2025 06:22
Infy employs a domain generation algorithm (DGA) to make its C2 infrastructure more resilient.
First reported: 21.12.2025 06:22

1 source, 1 article
Show sources
- Iranian Infy APT Resurfaces with New Malware Activity After Years of Silence — thehackernews.com — 21.12.2025 06:22
Foudre and Tonnerre artifacts validate C2 domains using RSA signature files.
First reported: 21.12.2025 06:22

1 source, 1 article
Show sources
- Iranian Infy APT Resurfaces with New Malware Activity After Years of Silence — thehackernews.com — 21.12.2025 06:22
The latest version of Tonnerre includes a mechanism to contact a Telegram group named 'سرافراز'.
First reported: 21.12.2025 06:22

1 source, 1 article
Show sources
- Iranian Infy APT Resurfaces with New Malware Activity After Years of Silence — thehackernews.com — 21.12.2025 06:22
Infy has used various malware variants, including Amaq News Finder, MaxPinner, Deep Freeze, and Rugissement.
First reported: 21.12.2025 06:22

1 source, 1 article
Show sources
- Iranian Infy APT Resurfaces with New Malware Activity After Years of Silence — thehackernews.com — 21.12.2025 06:22