Activity levels of the state-sponsored Iranian threat group
Prince of Persia were much more significant than SafeBreach researchers originally anticipated.
First made public by
Palo Alto Networks in 2016 and then years later by
SafeBreach in 2021, a
December 2025 SafeBreach report identified multiple campaigns that used a large number of malware variants and command-and-control (C2) servers — likely to target critical infrastructure worldwide.
The 2025 report by SafeBreach found at least three active variants of the Foudre and Tonnerre malware typically deployed by Prince of Persia that use different domain generation algorithms (DGA) in parallel and communicating to an active C2 server. Here’s what they found:
- Tonnerre v50: Detected as recent as September 2025, uses an unknown DGA algorithm.
- Tonnerre v12-16, uses the group’s original CRC32-based DGA.
- Tonnerre v17, uses the original CRC32 as the first stage and then adds a second-stage DGA algorithm.
For the first time
since 2016, SafeBreach researchers found that the new Tonnerre v50 malware variant was redirected by the C2 server to a Telegram group, which includes a Telegram bot that likely uses the Telegram API to send commands and get the exfiltrated victim’s data. The researchers said it’s possible the attackers used the Telegram bot as a replacement for the FTP protocol used by former versions of Tonnerre.
A warning to security teams
Security experts said teams should take the threat posed by the new Prince of Persia variants seriously.
Trevor Dearing, director of critical Infrastructure at Illumio, said these decade-long operations reflect a calculated strategy by nation-state APTs to disrupt essential services such as energy, water, and transportation that are critical to societal stability and economic resilience.
"Recent breaches in water utilities and energy systems highlight the vulnerabilities of aging infrastructure and the growing sophistication of cyber adversaries,” said Dearing. “As these threats evolve, I expect risks to critical systems to escalate in next year.”
Agnidipta Sarkar, chief evangelist at ColorTokens, said organizations should treat Foudre/Tonnerre and “Prince of Persia” IOCs as high‑priority threat intelligence, feeding them into their SIEMs, EDRs, DNS firewalls, and email security with continuous updates from vendor and community feeds. Sarkar also advised teams to use microsegmentation as a way to pre-engineer how the next breach plays out before a crisis hits.
“The attacker is clearly evolving,” said Sarkar. “A breach is not a distant possibility, but an imminent certainty that will test both technology and leadership.”
Andi Ursry, threat intelligence analyst at Blackpoint Cyber, added that this new Prince of Persia campaign reminds us that these threat actors are very patient. Ursry said APT activity like this highlights how nation-state operators can fade out of public view for years and spend that time retooling and maintaining access.
“For defenders it highlights how we’re just not dealing with outbreaks or spikes in activity, but also facing adversaries running multi-year operations that blend in with normal traffic,” said Ursry. “This type of longevity takes persistence and discipline. Over a decade, this actor rotated malware families, refreshed infrastructure, adjusted tradecraft, and stayed operational all while maintaining access. That level of adaptability is what we expect from mature nation-state groups — which is steady improvement and the goal of playing the long game.”