Prince of Persia: A Decade of Iranian Nation-State APT Campaign Activity Under the Microscope
Summary:
The Iranian state-sponsored threat actor known as Prince of Persia (or Infy) has significantly evolved its technical proficiency and operational security methods after three years of relative silence in the media. Since its initial discovery in 2007, the group has targeted global critical infrastructure, Iranian dissidents, and activists. Recently published research by SafeBreach Labs reveals that the group has been far more active with their operations than previously estimated, characterized by the deployment of multiple malware variants and more advanced C2 infrastructure observed in SafeBreach’s latest research campaign. Key technical findings include the identification of several new versions of the "Foudre" and "Tonnerre" malware families, specifically Tonnerre v50, which was detected as recently as September 2025. This latest variant marks a change in adversary tactics from FTP protocol exfiltration to the use of a Telegram bot and private group (named "Sarafraz") for receiving exfiltrated victim data and issuing commands. Beyond its primary toolset, the group has expanded its arsenal to include new MaxPinner variants for spying on Telegram’s content, Rugissement variants, which likely acted as unknown attack vectors from 2019-2021, and DeepFreeze. Analysis of the Telegram infrastructure also identified a potential operator using the handle @ehsan8999100, providing rare visibility into an active user that is likely one of the operators of this state-aligned operation. This potential operator has been seen active in the Telegram group as recently as December 13, 2025.
Security Officer Comments:
The pivot to Telegram as a C2 mechanism in the new Tonnerre v50 reflects a broader trend among APTs to leverage legitimate cloud services and encrypted messaging APIs to bypass traditional network defenses and blend into normal traffic. The group’s ability to remain undetected for three years following 2021 while apparently refining their DGA algorithms and tooling demonstrates a high level of operational maturity, expected of a nation-state operation. This operational maturity aligns with reports of the fluid and closely interconnected ecosystem of Iranian APT operations. Most notably, the observed collaboration from the Telecommunication Company of Iran (TCI) displayed by the blocking and redirecting of any traffic originating from Iran aimed at Palo Alto sinkholes to shield the group’s infrastructure and regain control of victims following the takedown by Palo Alto Networks, reinforces the high-level state support this adversary receives. For IT-ISAC members, this development highlights the potential effectiveness of monitoring for unauthorized Telegram API activity within enterprise environments and underscores the persistent threat that Iranian APTs pose to US critical infrastructure.
Suggested Corrections:
IOCs found in the appendix: https://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/
Organizations can make APT groups’ lives more difficult. Here’s how:
https://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/
The Iranian state-sponsored threat actor known as Prince of Persia (or Infy) has significantly evolved its technical proficiency and operational security methods after three years of relative silence in the media. Since its initial discovery in 2007, the group has targeted global critical infrastructure, Iranian dissidents, and activists. Recently published research by SafeBreach Labs reveals that the group has been far more active with their operations than previously estimated, characterized by the deployment of multiple malware variants and more advanced C2 infrastructure observed in SafeBreach’s latest research campaign. Key technical findings include the identification of several new versions of the "Foudre" and "Tonnerre" malware families, specifically Tonnerre v50, which was detected as recently as September 2025. This latest variant marks a change in adversary tactics from FTP protocol exfiltration to the use of a Telegram bot and private group (named "Sarafraz") for receiving exfiltrated victim data and issuing commands. Beyond its primary toolset, the group has expanded its arsenal to include new MaxPinner variants for spying on Telegram’s content, Rugissement variants, which likely acted as unknown attack vectors from 2019-2021, and DeepFreeze. Analysis of the Telegram infrastructure also identified a potential operator using the handle @ehsan8999100, providing rare visibility into an active user that is likely one of the operators of this state-aligned operation. This potential operator has been seen active in the Telegram group as recently as December 13, 2025.
Security Officer Comments:
The pivot to Telegram as a C2 mechanism in the new Tonnerre v50 reflects a broader trend among APTs to leverage legitimate cloud services and encrypted messaging APIs to bypass traditional network defenses and blend into normal traffic. The group’s ability to remain undetected for three years following 2021 while apparently refining their DGA algorithms and tooling demonstrates a high level of operational maturity, expected of a nation-state operation. This operational maturity aligns with reports of the fluid and closely interconnected ecosystem of Iranian APT operations. Most notably, the observed collaboration from the Telecommunication Company of Iran (TCI) displayed by the blocking and redirecting of any traffic originating from Iran aimed at Palo Alto sinkholes to shield the group’s infrastructure and regain control of victims following the takedown by Palo Alto Networks, reinforces the high-level state support this adversary receives. For IT-ISAC members, this development highlights the potential effectiveness of monitoring for unauthorized Telegram API activity within enterprise environments and underscores the persistent threat that Iranian APTs pose to US critical infrastructure.
Suggested Corrections:
IOCs found in the appendix: https://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/
Organizations can make APT groups’ lives more difficult. Here’s how:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Regardless of preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
https://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/