Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends
Summary:
The Iranian-linked Advanced Persistent Threat (APT) group known as Infy (or Prince of Persia) has demonstrated remarkable resilience, transitioning from a period of relative obscurity to a sophisticated, multi-stage operational model. Recent research from SafeBreach Labs reveals that the group has significantly expanded its toolkit beyond its traditional "Foudre" (lightning) and "Tonnerre" (thunder) malware families. The introduction of ZZ Stealer, a custom variant of the StormKitty infostealer, marks a shift toward more modern, modular delivery methods. Furthermore, the group has successfully integrated legitimate services like Telegram for command-and-control (C2) and exfiltration, while employing advanced Domain Generation Algorithms (DGA) to ensure infrastructure persistence against industry takedown efforts.
This latest research also highlights a significant evolution in the group’s "production" line, where they have refined the way they handle exfiltrated data. The group no longer relies solely on static FTP servers; instead, they utilize a multi-tiered architecture that includes primary collectors, secondary storage servers, and automated scripts designed to organize stolen credentials and documents by victim priority. This systematic approach to data theft suggests a high level of operational maturity and a long-term interest in maintaining access to compromised environments. By automating the classification of stolen assets, Prince of Persia can more efficiently pivot from initial infection to high-value espionage or secondary exploitation.
Security Officer Comments:
The resurgence of Prince of Persia is a significant indicator of the "long game" played by nation-state actors. While historically focused on dissidents and diplomats, the group’s expansion into more diverse malware and global infrastructure suggests a maturing capability that can easily be pivoted toward critical infrastructure or supply chain targets. Of particular concern is the "ZZ Stealer" campaign’s correlation with malicious packages discovered on the Python Package Index (PyPI). This indicates that the group is moving toward software supply chain compromise as a primary infection vector—a tactic that poses a direct risk to any organization with internal development teams or those relying on third-party software repositories. The use of Telegram for C2 is a dual-threat; it allows malicious traffic to blend into legitimate encrypted communications, often bypassing traditional perimeter security controls that do not inspect or restrict social media API traffic.
Suggested Corrections:
To defend against the evolving tactics of the Prince of Persia group, organizations should implement a layered defense strategy focused on both technical controls and visibility:
https://thehackernews.com/2026/02/infy-hackers-resume-operations-with-new.html
The Iranian-linked Advanced Persistent Threat (APT) group known as Infy (or Prince of Persia) has demonstrated remarkable resilience, transitioning from a period of relative obscurity to a sophisticated, multi-stage operational model. Recent research from SafeBreach Labs reveals that the group has significantly expanded its toolkit beyond its traditional "Foudre" (lightning) and "Tonnerre" (thunder) malware families. The introduction of ZZ Stealer, a custom variant of the StormKitty infostealer, marks a shift toward more modern, modular delivery methods. Furthermore, the group has successfully integrated legitimate services like Telegram for command-and-control (C2) and exfiltration, while employing advanced Domain Generation Algorithms (DGA) to ensure infrastructure persistence against industry takedown efforts.
This latest research also highlights a significant evolution in the group’s "production" line, where they have refined the way they handle exfiltrated data. The group no longer relies solely on static FTP servers; instead, they utilize a multi-tiered architecture that includes primary collectors, secondary storage servers, and automated scripts designed to organize stolen credentials and documents by victim priority. This systematic approach to data theft suggests a high level of operational maturity and a long-term interest in maintaining access to compromised environments. By automating the classification of stolen assets, Prince of Persia can more efficiently pivot from initial infection to high-value espionage or secondary exploitation.
Security Officer Comments:
The resurgence of Prince of Persia is a significant indicator of the "long game" played by nation-state actors. While historically focused on dissidents and diplomats, the group’s expansion into more diverse malware and global infrastructure suggests a maturing capability that can easily be pivoted toward critical infrastructure or supply chain targets. Of particular concern is the "ZZ Stealer" campaign’s correlation with malicious packages discovered on the Python Package Index (PyPI). This indicates that the group is moving toward software supply chain compromise as a primary infection vector—a tactic that poses a direct risk to any organization with internal development teams or those relying on third-party software repositories. The use of Telegram for C2 is a dual-threat; it allows malicious traffic to blend into legitimate encrypted communications, often bypassing traditional perimeter security controls that do not inspect or restrict social media API traffic.
Suggested Corrections:
To defend against the evolving tactics of the Prince of Persia group, organizations should implement a layered defense strategy focused on both technical controls and visibility:
- DNS Filtering and Sinkholing: Implement advanced DNS protection to detect and block traffic associated with the group's specific DGA patterns and unusual top-level domains (TLDs).
- API Traffic Monitoring: Closely monitor or restrict outbound traffic to the Telegram Bot API from sensitive server environments and developer workstations.
- Software Supply Chain Security: Utilize Software Composition Analysis (SCA) tools to vet third-party Python packages and implement "lockfiles" to prevent the automatic pulling of unverified updates from PyPI.
- Endpoint Behavioral Detection: Configure EDR tools to alert on the execution of self-extracting archives (SFX) that drop files into %AppData% or %Temp% folders, as well as the unauthorized use of taskkill to disable security software.
- Credential Hardening: Enforce phishing-resistant Multi-Factor Authentication (MFA) across all external-facing services to mitigate the impact of the group’s infostealer capabilities.
- Macro and Scripting Policies: Disable macros via Group Policy for documents received from external sources and restrict the execution of PowerShell or Windows Script Host (WSH) for non-administrative users.
https://thehackernews.com/2026/02/infy-hackers-resume-operations-with-new.html