What happened
The Iran-linked advanced persistent threat (APT) group known as Infy, also called Prince of Persia, restarted its malicious operations after a recent nationwide internet blackout in Iran, deploying new command-and-control (C2) servers and updated malware, according to SafeBreach research shared by The Hacker News.
Who is affected
Organizations with exposure to state-sponsored threats, particularly in regions previously targeted by Infy, are at risk, with evidence of updated backdoors (including Tornado v51 leveraging HTTP and Telegram for C2) and exploitation of a 1-day WinRAR vulnerability to deliver payloads.
Why CISOs should care
Infy’s resurgence underscores that long-dormant APT groups can re-emerge rapidly with enhanced capabilities and evasive infrastructure. Their use of dual-method C2, custom domain generation, and exploitation of public software flaws increases the difficulty of detection and defense, especially for global enterprises with distributed assets.
3 Practical Actions
- Update and Patch Critical Software: Immediately deploy patches for known exploited vulnerabilities, including the WinRAR flaws Infy may be weaponizing.
- Harden C2 Detection: Integrate network traffic analysis and telemetry rules for unusual HTTP and Telegram API communications that could indicate stealthy backdoor activity.Â
- Threat Intelligence Monitoring: Subscribe to updated threat feeds and IOC lists for Infy, Foudre, Tonnerre, and Tornado variants to pre-emptively block emerging indicators and TTPs.