Cyberattacks by Iranian Nation-State APTs Targeting Vital Infrastructure

Researchers at SafeBreach Labs have uncovered fresh activity from the Iranian state-sponsored hacking group known as “Prince of Persia” (also referred to as “Infy”), revealing that the threat actor has been silently operating sophisticated malware campaigns since resurfacing in 2025 after a three-year hiatus.

First discovered in 2016 by Palo Alto Networks’ Unit 42, Prince of Persia has long been linked to Iran’s state interests and espionage missions targeting foreign governments, dissidents, and critical infrastructure.

SafeBreach’s latest analysis details new malware variants Foudre v34, Tonnerre v17, and Tonnerre v50 used in global cyberespionage operations.

New Malware Variants and C2 Infrastructure

According to SafeBreach, the group’s latest campaign employed multiple Domain Generation Algorithms (DGAs) to create dynamic communication channels between infected systems and remotely controlled servers.

At least three malware variants were identified, each with distinct DGAs running simultaneously.

Foudre v34, the latest version of the group’s long-used backdoor, spreads via malicious Microsoft Excel files containing embedded executables.

The Excel file drops a DLL loader named Conf8830.dll and deploys an SFX archive disguised as a media file. This version introduces a two-tiered DGA scheme with new character transformation logic, generating domain names composed mainly of letters j-z.

Tonnerre v17, another variant linked to Foudre, uses a similar DGA with unique prefixes. Once installed, it communicates with command-and-control (C2) servers by transmitting victim GUIDs, system data, and encrypted files through structured directories such as /blog, /f, and /s.

The most advanced sample, Tonnerre v50, represents a significant evolution in operational tactics. For the first time, communication with the threat actor’s backend server is redirected via a Telegram bot to a Telegram group, likely used to issue commands and exfiltrate victim data.

Researchers identified the bot “ttestro1bot” and a linked Persian user named “Ehsan,” believed to be part of the Iranian operator team.

New C2 servers hosted in Europe are assigned IP addresses in the ranges 45.80.148.195 and 45.80.148.124, active between August and December 2025, using top-level domains such as .site, .hbmc.net, .ix.tc, and .privatedns.org.

Ongoing Threat and Attribution

The researchers noted multiple Iranian IP traces, Telegram identifiers, and infrastructure overlaps that strengthen the government-linked attribution.

Despite attempts to obscure operations and delete evidence, SafeBreach successfully retrieved exfiltrated files and reconstructed the C2 mechanisms.

SafeBreach warns that the Prince of Persia APT remains active and continues to evolve, now integrating encrypted delivery, complex DGAs, and social platforms such as Telegram for command-and-control, posing an ongoing risk to government and infrastructure networks worldwide.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Cyberattacks by Iranian Nation-State APTs Targeting Vital Infrastructure appeared first on Cyber Security News.