Ethical Hacking News
In a recent report, researchers have exposed the latest tactics and technologies employed by the Iranian threat group Infy, also known as Prince of Persia. The group has evolved its command-and-control infrastructure using both HTTP and Telegram communication channels, providing it with greater flexibility in registering C2 domain names. This new approach utilizes a unique dynamic domain generation algorithm and blockchain data de-obfuscation to increase the success rate of its campaigns. With this update, Infy's reputation as a sophisticated state-sponsored threat actor is solidified, highlighting the need for cybersecurity professionals to stay vigilant and adapt to new tactics, techniques, and procedures.
Infy, a state-sponsored Iranian threat group, has been involved in cyber espionage and sabotage operations since 2004. Infy has replaced its command-and-control (C2) infrastructure with an updated version called Tornado, using HTTP and Telegram as communication channels. Tornado uses a dynamic domain generation algorithm and blockchain data de-obfuscation to generate C2 domain names. The group is believed to have targeted specific countries, including Iran, using malicious RAR archives with a 1-day security flaw in WinRAR. Infy's ZZ Stealer malware collects environmental data, screenshots, and exfiltrates desktop files, and downloads a second-stage malware called "8==3" upon receiving a command from its C2 server. The group's evolution and adaptation are indicative of a sophisticated state-sponsored threat actor, with the ability to stay under the radar for so long.
In a recent report released by SafeBreach, an Israeli cybersecurity firm, researchers have shed light on the tactics, techniques, and procedures (TTPs) employed by the elusive Iranian threat group known as Infy, also referred to as Prince of Persia. The group has been actively involved in cyber espionage and sabotage operations since 2004, making it one of the oldest state-sponsored hacking groups operating out of Iran.
The latest update from SafeBreach reveals that Infy has evolved its tactics by replacing its command-and-control (C2) infrastructure for all versions of Foudre and Tonnerre with an updated version called Tornado. This new C2 infrastructure utilizes both HTTP and Telegram as communication channels, providing the group with greater flexibility in registering C2 domain names without the need to update the Tornado version.
Tornado uses a unique approach to generate C2 domain names by employing a dynamic domain generation algorithm (DGA) and then using blockchain data de-obfuscation to fix the names. This change is seen as an attempt by Infy to increase the success rate of its campaigns by utilizing a 1-day security flaw in WinRAR, either CVE-2025-8088 or CVE-2025-6218, to extract the Tornado payload on a compromised host.
The specially-crafted RAR archives were uploaded to the VirusTotal platform in mid-December 2025, suggesting that Infy may have targeted specific countries, including Iran. The self-extracting archive (SFX) within these files contains two critical components - a malicious ZIP file that drops ZZ Stealer, a custom variant of the StormKitty infostealer, and a "very strong correlation" between the ZZ Stealer attack chain and a campaign targeting the Python Package Index (PyPI) repository with a package named "testfiwldsd21233s".
The ZZ Stealer malware is believed to be a first-stage malware that collects environmental data, screenshots, and exfiltrates all desktop files. Upon receiving a specific command from its C2 server, it will download and execute the second-stage malware also known as "8==3". Researchers have identified a "weaker potential correlation" between Infy and Charming Kitten (aka Educated Manticore), due to the use of ZIP and Windows Shortcut (LNK) files, and a PowerShell loader technique.
SafeBreach has concluded that Infy's evolution and adaptation are indicative of a sophisticated state-sponsored threat actor. The group's ability to stay under the radar for so long is a testament to its laser-focused attacks aimed at individuals for intelligence gathering. The fact that even government-affiliated cyber units did not have the ability or motivation to carry out malicious activities within Iran during the recent internet blackout suggests that Infy operates independently, further solidifying its reputation as a state-sponsored threat actor.
This latest development highlights the evolving threat landscape and the need for cybersecurity professionals to stay vigilant and adapt to new tactics, techniques, and procedures employed by nation-state actors. As the cyber espionage landscape continues to evolve, it is essential to understand the motivations, tactics, and technologies used by groups like Infy to better protect against their operations.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Evolving-Threat-Landscape-Infys-Latest-Tactics-and-Technologies-ehn.shtml
Published: Thu Feb 5 06:06:58 2026 by llama3.2 3B Q4_K_M
