**Infy Returns: Iran-linked Hacking Group Shows Renewed Activity**

The cybersecurity world has been abuzz with news of a resurgence by the notorious Iranian hacking group, Infy, also known as Prince of Persia. After years of relative silence, researchers at SafeBreach have uncovered renewed activity from this highly skilled and sophisticated threat actor, sparking concerns about its potential impact on governments, organizations, and individuals worldwide.

Infy's past campaigns have been characterized by their long-running nature, targeting high-profile victims including Iranian dissidents, civil society members, journalists, and diplomats. Unlike other cyber espionage groups that often focus on financial gain, Infy has consistently pursued a more sinister agenda: gathering intelligence and compromising sensitive information.

First exposed in 2016, Prince of Persia demonstrated an impressive arsenal of tools and techniques, including website compromises, malware variants like Foudre and Tonnerre, and sophisticated traffic manipulation. The group's activities sparked widespread concern due to its apparent state-level ties and the ease with which it infiltrated even the most secure systems.

After a takedown by Palo Alto Networks in 2022, it seemed that Infy had gone dark, but SafeBreach researchers continued tracking the group using long-term indicators. Their sustained monitoring revealed a surprising truth: Prince of Persia never fully disappeared – it simply adapted its tools and infrastructure to operate more stealthily under the radar.

Recent research by SafeBreach has shown that the Iranian-linked Prince of Persia (Infy) group remains highly active and more capable than previously thought. Over the past three years, researchers have uncovered multiple campaigns using various malware variants and C2 servers. At least three Tonnerre variants have been identified, including a new v50 seen in September 2025 with a previously unknown DGA.

This latest development marks the first time since 2016 that Tonnerre has redirected victims to a Telegram group and bot, likely replacing older FTP-based data exfiltration. Analysts also found new and unknown malware families targeting Telegram, as well as evidence of continuous testing infrastructure. Despite defenses, victim data could still be retrieved from both old and new C2 servers.

SafeBreach researchers have shed light on Infy's operations by uncovering the group's ability to hide its activities through frequent changes to C2 servers, deleting malware from low-value victims, and upgrading tools in place. New findings reveal updated Foudre and Tonnerre variants, a redesigned C2 structure, and the use of Telegram bots for command and data exfiltration.

The research by SafeBreach Labs has tracked the Iran-linked Prince of Persia group since 2019 and maintained visibility even after it appeared dormant in 2022. The findings reveal continued development of its Foudre and Tonnerre malware families, new infection vectors, and evolving C2 infrastructures.

Foudre v34 now spreads via malicious Excel files with embedded executables, evading antivirus detection and using a new two-stage DGA algorithm. Tonnerre v17 shares a similar DGA and shows careful timing tied to real-world events. The group operates complex C2 server structures to manage upgrades, validate domains, exfiltrate data, and separate real victims from attacker test systems.

Researchers also uncovered techniques used to erase infections and migrate victims between C2 servers to cover tracks. Newer variants integrate Telegram for command-and-control, while older malware such as Amaq News Finder, MaxPinner, Deep Freeze, and Rugissement highlight a long-running, adaptable toolset.

The findings demonstrate a persistent, highly organized espionage operation with continuous innovation. "Despite the appearance of having gone dark in 2022, Prince of Persia threat actors have done quite the opposite," concludes the report. "Our ongoing research campaign into this prolific and elusive group has highlighted critical details about their activities, C2 servers, and identified malware variants in the last three years."