Tornado
Tornado is a malware family used by the Iranian threat actor Infy, also known as Prince of Persia. The provided reporting describes Tornado as the latest iteration of the actor’s Foudre/Tonnerre tooling, including references to Tornado as Tonnerre v50 and Tornado version 51. It supports dual command-and-control over HTTP and Telegram. SafeBreach reported that Tornado v51 is based on the Foudre family and uses two domain-generation approaches for C2 discovery: a new DGA algorithm and fixed names derived through blockchain-based deobfuscation of OP_RETURN data from blockchain.info raw address data for 1HLoD9E4SDFFPDiYfNYnkBLQ85Y51J3Zb1. Reported deobfuscated domains include dnsbroadcaster.lat and querylist.online.
The malware is reported to be delivered by exploiting a recent WinRAR vulnerability, described in the content as a 1-day or zero-day and identified as CVE-2025-8088 or CVE-2025-6218, using a self-extracting archive to place Tornado in the Startup folder. Additional persistence mechanisms mentioned include scheduled tasks. Tornado reportedly checks for the presence of Avast antivirus. The actor also used Telegram bots or a Telegram group for command reception and victim data exfiltration.
The reporting states that Infy rotated Telegram identities and replaced C2 servers and domains after public exposure, introduced new DGA domains, deleted communication logs, replaced victim IP addresses in exfiltration filenames with 0.0.0.0, and added a 256-byte base64-encoded array assessed as related to RSA verification. SafeBreach assessed the timing of the actor’s infrastructure shutdown and reactivation around Iran’s January 2026 internet blackout as strong evidence of Iranian regime sponsorship.
High-confidence infrastructure and IoC details directly mentioned in the content include C2 IPs 45.80.148.249, 45.80.148.195, 45.80.149.3, and 45.80.149.100; domains uiavuflyjqodj.conningstone.net, uiavuflyjqodj.hbmc.net, lklptttt.space, onnmuoru.privatedns.org, noonrpxv.privatedns.org, 26edd0a4.ddns.net, 92c5d3b3.ddns.net, dnsbroadcaster.lat, and querylist.online; and the blockchain address 1HLoD9E4SDFFPDiYfNYnkBLQ85Y51J3Zb1. The content also notes an observed correlation between Infy activity and ZZ Stealer, but does not establish Tornado itself as ZZ Stealer.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
“The threat actor is using a 1-day WinRAR vulnerability (likely CVE-2025-8088 or CVE‑2025‑6218) to extract Tornado to the startup folder.”
“Infy is also exploiting a zero-day vulnerability in WinRAR (CVE-2025-8088 or CVE-2025-6218) to deploy the Tornado payload.”
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
“The threat actor is using a 1-day WinRAR vulnerability… to extract Tornado to the startup folder.”
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
2 techniques"The malware, delivered via a self-extracting archive..."
Persistence
1 techniquePrivilege Escalation
2 techniques“The threat actor is using a 1-day WinRAR vulnerability… to extract Tornado to the startup folder.”
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Payload dropped to the Windows Startup folder via WinRAR 1-day exploitation in the described Prince of Persia campaign; specific functionality not described in the content.
Infy payload (noted as version 51) delivered via a WinRAR self-extracting archive; checks for Avast AV, establishes persistence via scheduled tasks, and uses HTTP and Telegram (bots) for C2, data exfiltration, and command reception.
Latest malware family attributed to Prince of Persia; uses dual C2 protocols (HTTP and Telegram), DGA plus blockchain-based domain deobfuscation for C2 discovery, and drops/executes a second-stage payload (described as similar to Tonnerre). Infection chain leverages a 1-day WinRAR vulnerability to place an executable in Startup and uses an installer component for persistence (scheduled task).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.