542/68 Tuesday, December 23, 2025
Cybersecurity researchers have observed renewed activity from a sophisticated advanced persistent threat (APT) group known as Infy, also referred to as “Prince of Persia.” The group has a long history of cyber-espionage operations, and its latest resurgence shows an expansion of targets across multiple regions worldwide. In this campaign, the attackers are using Foudre Downloader version 34 to deliver a second-stage information-stealing malware called Tonnerre onto victim systems. The latest version of this toolkit was identified in September 2025.
In its most recent operations, the group has shifted tactics from using macro-enabled documents to embedding executable files within Excel documents, a technique designed to evade detection. A key feature of the campaign is the use of a Domain Generation Algorithm (DGA) to improve the resilience of its command-and-control (C2) infrastructure. The malware also implements strict server authentication mechanisms: it downloads a digital signature (RSA signature) and verifies it against an embedded public key to confirm that it is communicating with a legitimate attacker-controlled server before initiating communications.
Researchers also found that the latest version of Tonnerre has added support for Telegram as a fallback C2 channel, using bots and private groups to receive commands and exfiltrate data. Additional related malware, such as MaxPinner, was identified as well, specifically designed to intercept Telegram content. These findings confirm that the Infy group has not ceased operations but continues to actively evolve its tooling, making it more sophisticated and stealthy to support long-term cyber-espionage campaigns.
Source https://thehackernews.com/2025/12/iranian-infy-apt-resurfaces-with-new.html
