Iranian state-sponsored threat actors, commonly tracked as “Prince of Persia,” have resurfaced with a sophisticated cyberespionage campaign targeting global critical infrastructure and private networks.
Active since the early 2000s, this group recently deployed updated malware variants to infiltrate organizational systems and exfiltrate sensitive intelligence.
Their latest operations demonstrate a significant evolution in technical proficiency, utilizing novel evasion techniques and decentralized command-and-control (C2) infrastructures to bypass modern security defenses.
The attackers primarily initiate infections through malicious Microsoft Excel files containing embedded executables, marking a tactical shift from their previous reliance on macro-enabled documents.
These files, often disguised as benign administrative updates or regional news items, are engineered to evade standard antivirus detection engines.
Once a victim engages with the file, the malware drops a self-extracting archive that silently installs the Foudre backdoor, establishing an initial foothold within the compromised network.
SafeBreach analysts identified this renewed activity after a three-year dormant period, noting the group’s transition to more resilient operational security practices.
Their research highlighted the group’s use of distinct malware families, Foudre and Tonnerre, which now feature advanced capabilities for persistence and data theft.
The investigation also linked the operation to a specific persona, “Ehsan,” suggesting a centralized and human-operated management of the campaign’s infrastructure.
Technical Analysis of Infection and C2 Communication
The technical sophistication of this campaign is most evident in the deployment of Foudre v34 and Tonnerre v50.
Foudre v34 employs a complex multi-stage loading process where a loader DLL, identified as Conf8830.dll, executes a specific exported function named f8qb1355.
This function calls a disguised DLL file, d232, which masquerades as an MP4 video file to deceive both users and automated security tools.
.webp "Iranian Nation-State APT Targeting Networks and Critical Infrastructure Organizations 3")
Upon successful execution, the malware establishes persistence and initiates communication with C2 servers using a generated domain name.
The Domain Generation Algorithm (DGA) logic is particularly distinct, dividing the process into two phases. The first phase calculates a CRC32 checksum based on a date-formatted string, such as LOS1{}{}{}.format(date.year, date.month, weeknumber).
The second phase transforms this output into a unique eight-character hostname. Furthermore, the Tonnerre v50 variant introduces a unique redirection mechanism involving Telegram.
Instead of traditional FTP protocols, the malware communicates with a Telegram bot to receive commands.
.webp "Iranian Nation-State APT Targeting Networks and Critical Infrastructure Organizations 4")
The C2 communication relies on specific HTTP GET requests to validate victim machines. Foudre v34 sends a unique identifier to the server using the following structure:
https://
This granular control allows the attackers to selectively upgrade or remove infections, ensuring their operations remain undetected while maintaining long-term access to high-value targets.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
