After a period of limited visibility, security researchers have identified renewed activity from one of the longest-operating state-aligned threat groups. Known as "Prince of Persia" or "Infy," this group has maintained a presence since approximately 2004. While recent years showed a decline in observed campaigns, new findings from SafeBreach indicate the group has remained operationally active, refining its tools to conduct surveillance on specific communities in Iran, Iraq, Turkey, India, Europe, and Canada.
The longevity of this group—spanning nearly 20 years, places it alongside other established advanced persistent threats (APTs) such as Turla and APT1. According to SafeBreach researcher Tomer Bar, the group's ability to operate continuously is largely due to significant upgrades in operational security and the implementation of cryptographic controls within their communication infrastructure.
Evolving Toolsets: Foudre and Tonnerre
The group primarily relies on two custom tools: "Foudre" (Lightning) and "Tonnerre" (Thunder). These tools function in tandem to establish access and conduct data collection.
Foudre serves as the initial reconnaissance stage. Recent observations show the latest version is delivered as an executable embedded within Microsoft Excel files, a method designed to evade detection by standard antivirus engines. Foudre's primary function is triage; it collects basic system information to determine if an endpoint is of further interest. If the target matches specific criteria, the operators deploy the second-stage tool; otherwise, Foudre is commanded to remove itself from the system.
Tonnerre serves as the primary data collection tool. The latest iteration leverages the Telegram application programming interface (API) for command and control (C2). While the use of Telegram for C2 is not uncommon, this implementation is notable for its stealth. Rather than embedding the API key directly into the binary—a practice that often leads to attribution and blocking, Tonnerre retrieves the key dynamically from the C2 server only for validated targets. This approach minimizes the digital footprint left on the endpoint.
Cryptographic Defense of C2 Infrastructure
A distinct feature of the group's updated operations is the use of RSA signature verification to protect its C2 channels. Foudre utilizes a domain generation algorithm (DGA) to produce a list of potential command domains. However, unlike standard botnets that simply connect to a generated domain, Foudre validates the server's identity before exchanging data.
The tool attempts to download a signed file from the generated domain and verifies it using an embedded public key. If the signature cannot be verified with the corresponding private key—held exclusively by the operators, the tool treats the server as untrusted and proceeds to the next domain in the sequence.
This mechanism provides a reliable defense against sinkholing operations. Security researchers often disrupt botnets by registering DGA domains ahead of the threat actors to intercept traffic. In this case, even if a researcher controls the domain, they lack the private key necessary to sign the validation file. Consequently, the malware will not communicate with the sinkhole, preventing researchers from mapping the scale of the infection or redirecting the traffic.
Historical Resilience and Infrastructure Support
The sophistication of these current defenses appears to be a direct response to previous exposure. In 2016, Palo Alto Networks Unit 42 published a detailed analysis of the group and successfully sinkholed its servers, disrupting its operations.
Following that intervention, external observation suggests that the Telecommunication Company of Iran (TCI) assisted in restoring the group's control. Traffic destined for the sinkholes was blocked and redirected back to infrastructure controlled by the operators. This event likely drove the group to develop the cryptographically verified architecture observed today, ensuring their communications remain resistant to similar external disruption efforts.