Infy (aka Prince of Persia) renewed C2 campaign after Iran blackout
Campaign
Summary
Hide ▲
Show ▼
Infy (aka Prince of Persia), an Iranian APT, is still running a covert campaign across Iran, Iraq, Turkey, India, Canada, and Europe using updated Foudre v34 and Tonnerre 12-18, 50. The group shifted from macro-laced Excel files to embedding executables in documents, while relying on DGA-backed C2 and Telegram-based control to keep infrastructure resilient. SafeBreach also found RSA-based domain validation, C2 folders such as key, download, and tga.adr, and victim-specific access for some artifacts. The latest version of Tonnerre was detected in September 2025.
Related Happenings
Dust Specter Iraq Foreign Affairs AI impersonation campaign
Campaign
First: 03.03.2026 12:30
Last: 03.03.2026 12:30
Sources 1
About this happening:
**Dust Specter** targeted **Iraqi government officials** in a **January 2026** campaign that used **impersonation**, **AI tools**, and compromised infrastructure to deliver malici...
Dust Specter Iraq Foreign Affairs AI impersonation campaign
CampaignAbout this happening: **Dust Specter** targeted **Iraqi government officials** in a **January 2026** campaign that used **impersonation**, **AI tools**, and compromised infrastructure to deliver malici...
MuddyWater GhostFetch, HTTP_VIP, CHAR, and GhostBackDoor malware activity
Malware Activity
First: 23.02.2026 09:25
Last: 23.02.2026 09:25
Sources 1
About this happening:
MuddyWater's **new malware toolkit** now includes **GhostFetch**, **HTTP_VIP**, **CHAR**, and **GhostBackDoor**, extending **multi-stage delivery** and **remote-control capability...
MuddyWater GhostFetch, HTTP_VIP, CHAR, and GhostBackDoor malware activity
Malware ActivityAbout this happening: MuddyWater's **new malware toolkit** now includes **GhostFetch**, **HTTP_VIP**, **CHAR**, and **GhostBackDoor**, extending **multi-stage delivery** and **remote-control capability...
MuddyWater Operation Olalampo campaign targeting MENA organizations and individuals
Campaign
First: 23.02.2026 09:25
Last: 23.02.2026 09:25
Sources 1
About this happening:
The **MuddyWater** campaign **Operation Olalampo** is actively targeting organizations and individuals across **MENA**, creating ongoing risk of remote compromise and follow-on in...
MuddyWater Operation Olalampo campaign targeting MENA organizations and individuals
CampaignAbout this happening: The **MuddyWater** campaign **Operation Olalampo** is actively targeting organizations and individuals across **MENA**, creating ongoing risk of remote compromise and follow-on in...
RedKitten campaign targeting Iranian dissidents with forged shock lures
Campaign
First: 30.01.2026 13:55
Last: 30.01.2026 13:55
Sources 1
About this happening:
The **RedKitten** campaign is spreading **SloppyMIO** malware in **Iran**, putting **NGOs** and people documenting protest-related human rights abuses at risk of surveillance and...
RedKitten campaign targeting Iranian dissidents with forged shock lures
CampaignAbout this happening: The **RedKitten** campaign is spreading **SloppyMIO** malware in **Iran**, putting **NGOs** and people documenting protest-related human rights abuses at risk of surveillance and...
WinRAR path-traversal exploitation wave (CVE-2025-8088)
Exploitation Wave
First: 27.01.2026 21:38
Last: 27.01.2026 21:38
Sources 1
How related:
There are also signs that Infy has weaponized a 1-day security flaw in WinRAR (either CVE-2025-8088 or CVE‑2025‑6218) to extract the Tornado payload on a compromised host.
About this happening:
**CVE-2025-8088** in **WinRAR** remains part of an **ongoing exploitation wave**, with **multiple threat groups** using the flaw for **initial access** and payload delivery. The a...
WinRAR path-traversal exploitation wave (CVE-2025-8088)
Exploitation WaveHow related: There are also signs that Infy has weaponized a 1-day security flaw in WinRAR (either CVE-2025-8088 or CVE‑2025‑6218) to extract the Tornado payload on a compromised host.
About this happening: **CVE-2025-8088** in **WinRAR** remains part of an **ongoing exploitation wave**, with **multiple threat groups** using the flaw for **initial access** and payload delivery. The a...
Timeline
-
05.02.2026 12:25 1 articles · 3mo ago
Infy operator adds @ehsan8999100 to Telegram channel Test
Campaign Scope UpdateThe original user @ehsan8999100 was added to a new Telegram channel named Test that had three subscribers, while the Telegram bot member still lacked permission to read the group's chat messages; the channel was assessed as a possible command-and-control channel for victim machines.
Show sources
- Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends — thehackernews.com — 05.02.2026 12:25
-
05.02.2026 12:25 1 articles · 3mo ago
Infy stops C2 maintenance during Iranian internet shutdown
Campaign Scope UpdateInfy stopped maintaining its C2 servers on January 8, the same day Iranian authorities imposed a country-wide internet shutdown in response to protests, suggesting the blackout constrained malicious activity inside Iran.
Show sources
- Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends — thehackernews.com — 05.02.2026 12:25
-
05.02.2026 12:25 2 articles · 3mo ago
Infy rebuilds C2 and deploys Tornado version 51
Technical Analysis UpdateSafeBreach observed renewed activity on January 26, 2026, when Infy set up new C2 servers, replaced C2 infrastructure for Foudre and Tonnerre, and introduced Tornado version 51 with both HTTP and Telegram for C2; the company also said the group likely weaponized a 1-day WinRAR flaw such as CVE-2025-8088 to extract the Tornado payload.
Show sources
- Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends — thehackernews.com — 05.02.2026 12:25
- Iranian Infy APT Resurfaces with New Malware Activity After Years of Silence — thehackernews.com — 21.12.2025 06:22