Malware, Threat Intelligence

Iranian Infy APT evolves tactics, leverages Telegram for C2

Iran Flag Digital Binary Code Cyberpunk Technology Concept

Coverage from The Hacker News indicates that the Iranian threat group Infy, also known as Prince of Persia, has updated its operational methods to evade detection. This evolution coincided with the re-establishment of internet access following a government-imposed blackout, according to a report by SafeBreach.

Infy ceased maintaining its command-and-control (C2) servers, a move observed on January 8, aligning with Iran's internet shutdown. Activity resumed on January 26, 2026, with the group establishing new C2 infrastructure just before internet restrictions were eased. This suggests state backing and coordination. The group, active since 2004, utilizes updated versions of its Foudre and Tonnerre malware, with the latest iteration, Tornado (version 51), employing both HTTP and Telegram for C2 communication.

Infy is also exploiting a zero-day vulnerability in WinRAR (CVE-2025-8088 or CVE-2025-6218) to deploy the Tornado payload. The malware, delivered via a self-extracting archive, checks for Avast antivirus, establishes persistence through scheduled tasks, and uses Telegram bots for data exfiltration and command reception. Recent analysis revealed a correlation between Infy's activities and the ZZ Stealer infostealer, which was also found in a malicious package targeting the Python Package Index (PyPI).

Source: The Hacker News

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds