Iranian state-sponsored threat actors, previously thought to have gone dormant, have resurfaced with sophisticated new malware campaigns targeting critical infrastructure organizations globally.
A new research report released by SafeBreach Labs reveals that the “Prince of Persia” (also known as Infy) Advanced Persistent Threat (APT) group has broken a three-year silence with a dramatic overhaul of their operational security and tooling.
Active since the early 2000s, the group seemingly vanished in 2022 following public exposure.
However, new evidence confirms they spent this period retooling. As of September 2025, the group has been observed deploying new malware variants Tonnerre v50 and Foudre v34 in parallel campaigns.
The most significant shift in their tactics is the abandonment of traditional File Transfer Protocol (FTP) methods for Command and Control (C2) communication.
Instead, the group has pivoted to using Telegram, a legitimate encrypted messaging platform, to evade detection.
The Shift to Telegram C2
The new Tonnerre v50 malware redirects infected machines to a Telegram group named “سرافراز” (Sarafraz), which translates to “Proudly.”
SafeBreach Labs has followed the Prince of Persia group since 2019. After the group appeared to go dark in 2022, our research team continued to hunt for evidence based on a variety of anchors and patterns we had defined.
The threat actors utilize a Telegram bot to issue commands and exfiltrate victim data via the Telegram API.
Researchers identified a specific user handle, @ehsan8999100, operating alongside the bot as an administrator.
This user, likely one of the Iranian hackers behind the operation, was observed to be active as recently as December 14, 2025.
The use of a Persian name and consistent IP geolocation data pointing to cities like Tehran and Mashhad reinforces the attribution to Iranian state interests.
Alongside the shift to Telegram, the group has updated its primary loader, Foudre v34. The infection vector has evolved from simple macro-laden documents to Microsoft Excel files containing embedded executables.
These files, such as “Notable Martyrs.zip,” are designed to bypass antivirus detection and drop the malware payload.
The group is also employing complex new Domain Generation Algorithms (DGA) to maintain resilient C2 infrastructure.
- Tonnerre v50 uses an unknown DGA generating 13-character domains ending in .privatedns.org.
- Foudre v34 utilizes a two-step DGA process, generating 10 or 12-character domains on TLDs like .site and .ix.tc.
“Testing” vs. “Production” Infrastructure
The investigation uncovered a massive infrastructure network, distinguishing between “testing” servers used for development and “production” servers targeting real victims.
Security professionals are advised to monitor network traffic for the identified DGA patterns and unusual Telegram API requests, as the “Prince of Persia” has proven they are not only active but more dangerous than before.
The scale of activity is significantly larger than previously estimated, with the group running multiple campaigns simultaneously.
While the majority of identified victims remain Iranian dissidents, the group’s targeting of global networks and critical infrastructure demonstrates a broadened scope.
The ability to maintain “unprecedented visibility” into these operations has allowed researchers to map out the group’s C2 structure, providing defenders with critical Indicators of Compromise (IoCs) to block these emerging threats.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.