Infy Foudre and Tonnerre malware activity
Malware Activity
Summary
Hide ▲
Show ▼
The Infy group is actively using Foudre and Tonnerre to deliver a second-stage implant that extracts data from high-value machines. The malware activity matters because it shows the actor is still operational in 2025 and is updating its tooling to sustain intrusion and exfiltration capabilities. The delivery chain relies on phishing emails and has evolved to make command-and-control more resilient.
Related Happenings
Vidar infostealer market rise and distribution expansion
Malware Activity
First: 28.04.2026 22:07
Last: 28.04.2026 22:07
Sources 1
About this happening:
**Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Vidar infostealer market rise and distribution expansion
Malware ActivityAbout this happening: **Vidar** remains a long-running **infostealer** threat, and **Aryaka** reported a fresh campaign in **recent weeks** that adds **new obfuscation techniques** and stronger **steal...
Silver Fox South Asia phishing campaign
Campaign
First: 24.03.2026 18:00
Last: 24.03.2026 18:00
Sources 1
About this happening:
The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...
Silver Fox South Asia phishing campaign
CampaignAbout this happening: The **Silver Fox** campaign now includes **BYOVD** abuse of a previously unknown **WatchDog Anti-malware** driver, **amsdk.sys (version 1.0.600)**, to disable security tools on co...
Keenadu Android backdoor embedded in firmware and app delivery paths
Malware Activity
First: 17.02.2026 16:05
Last: 17.02.2026 16:05
Sources 1
About this happening:
The **Keenadu** Android backdoor was found embedded in **firmware from multiple device brands**, putting infected devices and their installed apps at risk of full compromise. The...
Keenadu Android backdoor embedded in firmware and app delivery paths
Malware ActivityAbout this happening: The **Keenadu** Android backdoor was found embedded in **firmware from multiple device brands**, putting infected devices and their installed apps at risk of full compromise. The...
Infy (aka Prince of Persia) renewed C2 campaign after Iran blackout
Campaign
First: 05.02.2026 12:25
Last: 05.02.2026 12:25
Sources 1
How related:
The latest findings from SafeBreach have uncovered a covert campaign that has targeted victims across Iran, Iraq, Turkey, India, and Canada, as well as Europe, using updated versions of Foudre (version 34) and Tonnerre (versions 12-18, 50).
About this happening:
**Infy (aka Prince of Persia)**, an **Iranian APT**, is still running a covert campaign across **Iran, Iraq, Turkey, India, Canada, and Europe** using updated **Foudre v34** and *...
Infy (aka Prince of Persia) renewed C2 campaign after Iran blackout
CampaignHow related: The latest findings from SafeBreach have uncovered a covert campaign that has targeted victims across Iran, Iraq, Turkey, India, and Canada, as well as Europe, using updated versions of Foudre (version 34) and Tonnerre (versions 12-18, 50).
About this happening: **Infy (aka Prince of Persia)**, an **Iranian APT**, is still running a covert campaign across **Iran, Iraq, Turkey, India, Canada, and Europe** using updated **Foudre v34** and *...
UDPGangster backdoor deployed by MuddyWater
Malware Activity
First: 08.12.2025 08:46
Last: 08.12.2025 08:46
Sources 1
About this happening:
The **MuddyWater** group has deployed **UDPGangster**, a new backdoor that uses **UDP C2** to control compromised systems and expand post-compromise access. The malware can **exec...
UDPGangster backdoor deployed by MuddyWater
Malware ActivityAbout this happening: The **MuddyWater** group has deployed **UDPGangster**, a new backdoor that uses **UDP C2** to control compromised systems and expand post-compromise access. The malware can **exec...
Timeline
-
21.12.2025 06:22 2 articles · 5mo ago
SafeBreach discloses active Infy malware campaign
Initial DisclosureSafeBreach disclosed active Infy (aka Prince of Persia) activity tied to a covert campaign across Iran, Iraq, Turkey, India, Canada, and Europe that uses updated Foudre v34 and Tonnerre versions 12-18 and 50 to deliver a second-stage implant, extract data from high-value machines, validate approved C2 domains with RSA signature files, shift delivery from macro-laced Microsoft Excel files to embedded executables, and coordinate control through Telegram-linked infrastructure backed by a DGA.
Show sources
- Iranian Infy APT Resurfaces with New Malware Activity After Years of Silence — thehackernews.com — 21.12.2025 06:22
- Iranian Infy APT Resurfaces with New Malware Activity After Years of Silence — thehackernews.com — 21.12.2025 06:22