Iranian “Prince of Persia” APT Resurfaces with Telegram-Controlled Stealth Malware

After years of radio silence that led many to believe they had disbanded, one of Iran’s most persistent state-sponsored threat groups has resurfaced with a revamped arsenal. A new investigation by SafeBreach Labs reveals that the group known as “Prince of Persia” (or Infy) never actually went away—they just went deep underground.

Since 2022, the group has been quietly overhauling its operations, deploying new malware variants and adopting novel command-and-control (C2) mechanisms to target victims in Iran and Europe.

“Despite the appearance of having gone dark in 2022, Prince of Persia threat actors have done quite the opposite,” the report states.

The most significant evolution in the group’s tradecraft is the shift towards using Telegram for command and control, moving away from the FTP protocols they relied on for a decade. Researchers discovered that the new Tonnerre v50 malware is designed to communicate directly with a Telegram group named “sarafraz” (Persian for “proudly”).

Researchers identified a specific user—@ehsan8999100—who appears to be a human operator managing the infections.

“Telegram may be used as a replacement to the FTP protocol used by former versions of Tonnerre,” the researchers noted. The bot associated with the group, “ttestro1bot,” and the user “Ehsan” were active as recently as December 2025, confirming the operation is live and ongoing.

The group’s toolkit has expanded significantly. The investigation uncovered multiple new variants of their flagship malware families, Foudre (“lightning”) and Tonnerre (“thunder”).

• Foudre v34: A reconnaissance tool now delivered via undetectable malicious Excel files rather than the macro-laden documents of the past.
• Tonnerre v50: The latest heavy lifter, detected in September 2025, which employs unknown algorithms to generate command domains.

“Our research identified multiple campaigns that used a large number of malware variants and C2 servers,” SafeBreach reported.

To evade detection, the group implemented complex Domain Generation Algorithms (DGA). Instead of using static servers that can be easily blocked, the malware generates pseudo-random domain names to call home. The new algorithms create domains of 10, 12, or 13 characters, utilizing specific patterns where certain letters mimic others to create a “fingerprint” that only the attackers’ servers recognize .

Researchers noted peculiar patterns, such as “The fourth letter always equals the eleventh letter” in specific variants, hinting at the mathematical logic underneath the chaos.

The findings serve as a stark warning that silence does not equal safety in the world of state-sponsored espionage. The group has spent the last three years hardening their security and diversifying their infrastructure.

As the report concludes: “This threat group is still active, relevant, and dangerous”.

Related Posts:

• After the mass demonstrations, Infy hacker group launched a cyber-attack to target protesters and their contacts abroad
• Prince Ransomware Hits UK and US via Royal Mail Phishing Scam
• DDoS Suspected, Internal Bug Found: Cloudflare Outage Caused by Bot Management Config File
• Hacking the Cloud: Undetectable Crypto Miner on Azure
• DOJ Files Record $15 Billion Bitcoin Seizure Against Prince Group Chairman Over Pig Butchering Scams