Infy Threat Group Resumes Operations, Deploys New Malware and C2 Infrastructure

Related

Share

What happened

The Iran-linked advanced persistent threat (APT) group known as Infy, also called Prince of Persia, restarted its malicious operations after a recent nationwide internet blackout in Iran, deploying new command-and-control (C2) servers and updated malware, according to SafeBreach research shared by The Hacker News.

Who is affected

Organizations with exposure to state-sponsored threats, particularly in regions previously targeted by Infy, are at risk, with evidence of updated backdoors (including Tornado v51 leveraging HTTP and Telegram for C2) and exploitation of a 1-day WinRAR vulnerability to deliver payloads.

Why CISOs should care

Infy’s resurgence underscores that long-dormant APT groups can re-emerge rapidly with enhanced capabilities and evasive infrastructure. Their use of dual-method C2, custom domain generation, and exploitation of public software flaws increases the difficulty of detection and defense, especially for global enterprises with distributed assets.

3 Practical Actions

  1. Update and Patch Critical Software: Immediately deploy patches for known exploited vulnerabilities, including the WinRAR flaws Infy may be weaponizing.
  2. Harden C2 Detection: Integrate network traffic analysis and telemetry rules for unusual HTTP and Telegram API communications that could indicate stealthy backdoor activity. 
  3. Threat Intelligence Monitoring: Subscribe to updated threat feeds and IOC lists for Infy, Foudre, Tonnerre, and Tornado variants to pre-emptively block emerging indicators and TTPs.
1524023125746
+ posts