The world of cyber espionage is abuzz with news of the notorious Iranian hacking group, Infy, resurfacing with a new strategy. But what's more intriguing is their timing and the potential implications.
After a period of silence, Infy, also known as Prince of Persia, resumed operations following the restoration of internet access in Iran. The group's activities were initially disrupted by the country's internet blackout, which began on January 8, 2026, as reported by Tomer Bar, VP of Security Research at SafeBreach.
But here's where it gets controversial: the timing of Infy's resurgence coincides with the end of the blackout, suggesting a calculated move. As the Iranian government lifted restrictions on January 27, Infy swiftly established new command-and-control (C2) servers, indicating a well-planned comeback.
This development is significant for several reasons. Firstly, it provides strong evidence of Infy's state-sponsored nature, aligning with Iran's strategic interests. Secondly, it showcases the group's adaptability, as they've evolved their tactics to conceal their operations. And thirdly, it highlights the potential for government-backed cyber units to operate within their own borders, a topic that raises ethical and legal questions.
Infy, one of the oldest and most discreet Iranian hacking groups, has been active since 2004, specializing in targeted attacks for intelligence gathering. Their recent activities involve updated versions of Foudre and Tonnerre malware, with the latter utilizing a Telegram bot for command and control. The latest version, Tonnerre 50, codenamed Tornado, employs a unique approach to domain name generation.
In a fascinating twist, Infy has also exploited a WinRAR security flaw (CVE-2025-8088 or CVE-2025-6218) to extract the Tornado payload. This change in attack vector is believed to increase campaign success rates, as evidenced by the specially crafted RAR archives uploaded to VirusTotal in December 2025, potentially targeting specific countries.
The RAR file contains a self-extracting archive with two components: AuthFWSnapin.dll, the core of Tornado 51, and reg7989.dll, an installer that ensures Avast antivirus software is absent before executing the Tornado DLL. Tornado communicates with the C2 server via HTTP or Telegram, depending on the chosen method, to download the backdoor and harvest system data.
Interestingly, the previous version of the malware used a Telegram group with a bot and a user, while the latest version replaced the user with a new one, '@Ehsan66442'. SafeBreach extracted messages from this private group, revealing a wealth of information, including a malicious ZIP file that deploys ZZ Stealer, an infostealer, and a strong correlation between ZZ Stealer and a campaign targeting the Python Package Index (PyPI) repository with a package designed to exfiltrate data via the Telegram bot API.
Furthermore, SafeBreach's analysis uncovered a potential link between Infy and another Iranian hacking group, Charming Kitten (aka Educated Manticore), based on similar techniques involving ZIP and Windows Shortcut files and a PowerShell loader.
The article concludes with a call to action, inviting readers to follow the publication on various platforms for more exclusive content. But it also leaves us with questions: How should the international community respond to state-sponsored hacking groups? What are the ethical boundaries of cyber warfare? And how can we protect against such sophisticated threats?
These are the discussions that matter, and your voice is essential in shaping the conversation. Share your thoughts in the comments below, and let's explore these complex issues together.
