Prince of Persia

Infy, also known as Prince of Persia and APT-C-07, is an Iranian state-sponsored threat group active since at least 2004/2007 and described as one of the oldest known Iranian APTs. Reporting in the provided content links the group to the Iranian government and characterizes it as an espionage-focused actor. Known aliases in the content include Infy, Prince of Persia, and APT-C-07. The group has targeted Iranian dissidents, journalists, diplomats, governments, private-sector organizations, and regional government entities. Victims mentioned in the content are primarily in Iran, with additional targeting or victim presence in Iraq, Turkey, India, Canada, Europe, and previously Sweden and the Netherlands. Infy is associated with the malware families Foudre and Tonnerre, including multiple updated variants, as well as Tornado/Tonnerre v50 or v51 in later reporting. Foudre is described as a downloader/profiler used for reconnaissance and victim identification, while Tonnerre is used for surveillance and data exfiltration. The content also links Infy to older malware and tooling including Amaq News Finder, MaxPinner, Deep Freeze, and Rugissement, and notes discovery of additional spying tools targeting Telegram. Tradecraft described in the content includes phishing delivery, including PowerPoint files and malicious Excel documents with embedded executables; use of embedded executables and self-extracting archives; frequent command-and-control rotation; deletion of malware from low-value victims; selective victim targeting; migration of victims between C2 servers; use of domain generation algorithms in multiple Foudre and Tonnerre variants; RSA-based C2 validation; Telegram-based command and control and data exfiltration; HTTP-based C2; scheduled-task persistence; and checks for Avast antivirus. One report in the content states the actor used a 1-day WinRAR vulnerability, likely CVE-2025-8088 or CVE-2025-6218, to extract Tornado to the startup folder. The content also states adversary tools associated with Prince of Persia searched compromised systems for file extensions related to cryptographic keys and certificates. The provided reporting describes a large-scale resurgence of Infy/Prince of Persia, with at least three active variants of Foudre and Tonnerre operating in parallel, different DGAs, and Telegram-backed C2. The content also states the group remained active after periods of lower visibility and continued operations during Iranian internet restrictions by re-establishing infrastructure shortly before connectivity was restored.