The elusive Iranian risk group often known as Infy (aka Prince of Persia) has developed its techniques as a part of efforts to cover its tracks, even because it readied new command-and-control (C2) infrastructure coinciding with the tip of the widespread web blackout the regime imposed in the beginning of January 2026.
“The threat actor stopped maintaining its C2 servers on January 8 for the first time since we began monitoring their activities,” Tomer Bar, vice chairman of safety analysis at SafeBreach, stated in a report shared with The Hacker Information.
“This was the same day a country-wide internet shutdown was imposed by Iranian authorities in response to recent protests, which likely suggests that even government-affiliated cyber units did not have the ability or motivation to carry out malicious activities within Iran.”
The cybersecurity firm stated it noticed renewed exercise on January 26, 2026, because the hacking crew arrange new C2 servers, at some point earlier than the Iranian authorities relaxed web restrictions inside the nation. The event is important, not least as a result of it presents concrete proof that the adversary is state-sponsored and backed by Iran.
Infy is only one of many state-sponsored hacking teams working out of Iran that conduct espionage, sabotage, and affect operations aligned with Tehran’s strategic pursuits. However it’s additionally one of many oldest and lesser-known teams that has managed to remain below the radar, not attracting consideration and working quietly since 2004 via “laser-focused” assaults aimed toward people for intelligence gathering.
In a report printed in December 2025, SafeBreach disclosed new tradecraft related to the risk actor, together with the usage of up to date variations of Foudre and Tonnerre, with the latter using a Telegram bot probably for issuing instructions and gathering knowledge. The newest model of Tonnerre (model 50) has been codenamed Twister.
Continued visibility into the risk actor’s operations between December 19, 2025, and February 3, 2026, has uncovered that the attackers have taken the step of changing the C2 infrastructure for all variations of Foudre and Tonnerre, together with introducing Twister model 51 that makes use of each HTTP and Telegram for C2.
“It uses two different methods to generate C2 domain names: first, a new DGA algorithm and then fixed names using blockchain data de-obfuscation,” Bar stated. “This is a unique approach that we assume is being used to provide greater flexibility in registering C2 domain names without the need to update the Tornado version.”
There are additionally indicators that Infy has weaponized a 1-day safety flaw in WinRAR (both CVE-2025-8088 or CVE‑2025‑6218) to extract the Twister payload on a compromised host. The change in assault vector is seen as a approach to improve the success fee of its campaigns. The specially-crafted RAR archives have been uploaded to the VirusTotal platform from Germany and India in mid-December 2025, suggesting the 2 international locations could have been focused.
Current inside the RAR file is a self-extracting archive (SFX) that comprises two information –
- AuthFWSnapin.dll, the primary Twister model 51 DLL
- reg7989.dll, an installer that first checks if Avast antivirus software program isn’t put in, and if sure, creates a scheduled job for persistence and executes the Twister DLL
Twister establishes communication with the C2 server over HTTP to obtain and execute the primary backdoor and harvest system data. If Telegram is chosen because the C2 methodology, Twister makes use of the bot API to exfiltrate system knowledge and obtain extra instructions.
It is value noting that model 50 of the malware used a Telegram group named سرافراز (actually interprets to “sarafraz,” which means proudly) that featured the Telegram bot “@ttestro1bot” and a consumer with the deal with “@ehsan8999100.” Within the newest model, a distinct consumer known as “@Ehsan66442” has been added instead of the latter.
“As before, the bot member of the Telegram group still doesn’t have permissions to read the group’s chat messages,” Bar stated. “On December 21, the original user @ehsan8999100 was added to a new Telegram channel named Test that had three subscribers. The goal of this channel is still unknown, but we assume it is being used for command and control over the victim’s machines.”
SafeBreach stated it managed to extract all messages inside the personal Telegram group, enabling entry to all exfiltrated Foudre and Tonnerre information since February 16, 2025, together with 118 information and 14 shared hyperlinks containing encoded instructions despatched to Tonnerre by the risk actor. An evaluation of this knowledge has led to 2 essential discoveries –
- A malicious ZIP file that drops ZZ Stealer, which masses a customized variant of the StormKitty infostealer
- A “very strong correlation” between the ZZ Stealer assault chain and a marketing campaign focusing on the Python Package deal Index (PyPI) repository with a package deal named “testfiwldsd21233s” that is designed to drop a earlier iteration of ZZ Stealer and exfiltrate the info via the Telegram bot API
- A “weaker potential correlation” between Infy and Charming Kitten (aka Educated Manticore) owing to the usage of ZIP and Home windows Shortcut (LNK) information, and a PowerShell loader method
“ZZ Stealer appears to be a first-stage malware (like Foudre) that first collects environmental data, screenshots, and exfiltrates all desktop files,” SafeBreach defined. “In addition, upon receiving the command ‘8==3’ from the C2 server, it will download and execute the second-stage malware also named by the threat actor as ‘8==3.'”
