The Iranian threat actor known as Infy, also called Prince of Persia, has restarted its cyber operations after a brief pause that aligned closely with Iran’s nationwide internet blackout earlier this year. According to cybersecurity firm SafeBreach, the group unexpectedly stopped maintaining its command and control infrastructure on January 8, the same day Iranian authorities imposed widespread connectivity restrictions following protests across the country. SafeBreach vice president of security research Tomer Bar noted that this marked the first operational silence observed since researchers began tracking Infy’s activity, indicating that even cyber units believed to be connected to state interests were impacted by the shutdown.
Monitoring data showed Infy became active again on January 26, 2026, when it launched a fresh set of command and control servers just one day before internet access was partially restored in Iran. Researchers view the precise timing as strong evidence of state sponsorship. Infy is among several Iranian-linked hacking groups involved in long-term cyber espionage and intelligence collection aligned with national strategic goals. Unlike higher-profile operations, Infy has maintained a low public footprint since 2004, relying on carefully selected targets and quiet data theft campaigns designed to remain undetected for extended periods.
SafeBreach’s latest findings reveal that Infy has significantly modernized its technical infrastructure and malware capabilities. The group replaced all previously known command and control servers connected to its Foudre and Tonnerre malware families and rolled out a new backdoor variant known as Tornado version 51. This updated malware supports dual communication methods, allowing attackers to control infected systems through standard HTTP traffic as well as Telegram bots. Tornado also introduces a novel domain generation approach that combines a new algorithm with fixed domain names derived through blockchain data de obfuscation, a tactic believed to provide operational flexibility and reduce the need for frequent malware updates when infrastructure changes.
Researchers also uncovered signs that Infy has exploited a recently disclosed one day vulnerability in WinRAR, likely CVE 2025 8088 or CVE 2025 6218, to improve infection success rates. Malicious RAR files uploaded in December 2025 contained a self extracting archive holding the Tornado payload and an installer component that checks for the presence of Avast antivirus software before creating a scheduled task to ensure persistence. Once executed, Tornado collects system details, deploys additional backdoors, and either transmits stolen data over web connections or leverages Telegram’s bot API to receive commands and exfiltrate information.
Further investigation into Infy’s Telegram infrastructure allowed SafeBreach to access historical messages and stolen files shared within private groups used for command and control. This trove included more than a hundred exfiltrated files and multiple encoded command links dating back to early 2025. Among the discoveries was a malicious ZIP archive responsible for deploying ZZ Stealer, an information stealing malware that captures screenshots, harvests files from victims’ desktops, and prepares systems for secondary payloads. Analysts also identified a strong connection between this attack chain and a previously observed malicious package uploaded to the Python Package Index repository, which was designed to distribute earlier versions of ZZ Stealer and leak stolen data through Telegram channels.
While some technical similarities were noted between Infy’s operations and those of another Iranian-linked group known as Charming Kitten, including the use of shortcut files and PowerShell based loaders, SafeBreach described these links as tentative rather than definitive. Overall, the findings illustrate how Infy continues to refine its stealth, infrastructure resilience, and malware delivery methods. The rapid revival of its operations following Iran’s restored internet access highlights the coordinated and persistent nature of the group’s cyber espionage efforts, reinforcing concerns about the evolving sophistication of state aligned threat actors operating from the region.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
