Security researchers have confirmed renewed activity from Infy, an Iranian-linked advanced persistent threat (APT) group also known as Prince of Persia, marking a significant resurgence after several years of relative silence. New findings indicate that the group has not only remained active but has refined its tooling, infrastructure, and operational security.

The campaign demonstrates long-term persistence, stealth-focused command-and-control (C2) validation mechanisms, and expanded geographic targeting. These developments reinforce Infy’s role as a durable cyber-espionage actor rather than a dormant or disbanded group.

Infy is among the longest-running APT groups on record, with documented activity dating back to at least 2004. Despite its longevity, it has historically drawn less attention than other Iran-aligned groups such as Charming Kitten, MuddyWater, or OilRig.

Earlier campaigns primarily relied on phishing-delivered malware designed for profiling and selective follow-on exploitation. SafeBreach’s latest research shows that these foundational tactics remain intact, but the group’s operational maturity has advanced considerably.

SafeBreach identified an active and previously undisclosed campaign using updated versions of Infy’s malware toolset. Victims span Iran, Iraq, Turkey, India, Canada, and multiple European countries.

The activity includes refreshed variants of the Foudre downloader and the Tonnerre second-stage implant. The most recent Tonnerre samples were observed as late as September 2025, contradicting assumptions that the group had gone inactive after 2022.

Infy’s infection chain begins with phishing emails that now embed executables inside Microsoft Excel documents, replacing earlier macro-based delivery.

Once executed, Foudre profiles the victim system and selectively deploys Tonnerre to high-value targets. The group uses a domain generation algorithm (DGA) to rotate C2 infrastructure and reduce takedown risk.

A notable defense-evasion feature is Infy’s domain authentication process. Malware verifies C2 legitimacy by downloading a daily RSA-signed file, decrypting it with an embedded public key, and validating it locally before communicating.

Recent Tonnerre versions also introduce Telegram-based C2 support, with configuration files selectively served only to specific victim identifiers, further limiting exposure.

The campaign is firmly aligned with cyber-espionage objectives rather than financial crime or disruption. Data exfiltration, long-term access, and stealthy persistence are clear priorities.

The selective deployment model suggests intelligence-driven targeting, where only systems of strategic interest receive advanced implants or interactive control.

Infy’s resurgence highlights a broader trend among state-aligned threat actors: low-noise operations optimized for endurance rather than visibility.

The use of cryptographic validation, DGAs, and restricted secondary payload delivery demonstrates a high level of operational discipline designed to frustrate detection and infrastructure mapping.

“Despite the appearance of having gone dark, Prince of Persia has remained active, adaptive, and dangerous,” said Tomer Bar, VP of Security Research at SafeBreach.

“The group’s emphasis on C2 validation and selective victim handling shows a mature espionage operation that prioritizes resilience over scale.”