Threats Feed

The Prince of Persia (Infy) Iranian state-linked threat actor has conducted sustained cyber espionage operations for over a decade, targeting victims primarily in Iran, with additional infections observed across Europe, Iraq, Turkey, India, and Canada. Recent research reveals a broader operational scale than previously understood, involving multiple parallel campaigns, frequent C2 rotation, and continuous malware development. The group leveraged phishing-based initial access using malicious Excel files to deploy updated variants of Foudre and Tonnerre, including Tonnerre v50, which introduced Telegram-based command-and-control. The malware ecosystem focuses on long-term surveillance, data exfiltration, and selective victim management, demonstrating high operational maturity.

UDPGangster is a UDP-based backdoor used in recent MuddyWater cyber espionage campaigns targeting Turkey, Israel, and Azerbaijan. The attacks rely on phishing emails delivering malicious macro-enabled Word documents that decode and execute the payload. Once installed, the malware establishes persistence, performs extensive anti-analysis and sandbox evasion checks, and communicates with its C2 over non-standard UDP channels to execute commands, exfiltrate files, and deploy additional payloads. Related samples and shared infrastructure, including overlap with the Phoenix backdoor, confirm MuddyWater attribution across these regionally focused intrusions.

ESET researchers uncovered a new MuddyWater campaign targeting organizations in Israel and one in Egypt, primarily within the telecommunications, government, oil and energy, and manufacturing sectors. The Iran-aligned group deployed a suite of newly developed tools, including the Fooder reflective loader and MuddyViper, a C/C++ backdoor capable of credential theft, system reconnaissance, and file operations. Additional stealers such as CE-Notes, LP-Notes, and Blub, along with customized go-socks5 reverse tunnels, enhanced persistence and defense evasion. The campaign also revealed operational overlap with Lyceum, indicating MuddyWater’s role as an initial access broker. Activity ran from September 30, 2024 to March 18, 2025.

Leaked internal documents reveal a highly structured APT35 (Charming Kitten) operation run as a quota-driven, bureaucratic intelligence unit within the IRGC IO. The materials detail coordinated, long-term cyber-espionage campaigns targeting Lebanon, Kuwait, Turkey, Saudi Arabia, South Korea, and domestic Iranian entities, with a strong focus on diplomatic, governmental, telecom, energy, and large commercial mail systems. Operators used ProxyShell, Ivanti exploits, credential replay, HERV phishing, and persistent mailbox monitoring to harvest GALs, credentials, and sensitive communications. The leak exposes end-to-end workflows: reconnaissance, exploitation, credential theft, HUMINT-focused collection, and centralized KPI reporting, confirming a mature, state-managed espionage apparatus.