Prince of Persia APT Expands Long-Running Iranian Cyber Espionage Operations
- Actor Motivations: Espionage
- Attack Vectors: Backdoor,Downloader,Dropper,Malicious Macro,Malware,Trojan
- Attack Complexity: Medium
- Threat Risk: High Impact/Low Probability
Threat Overview
The Prince of Persia (Infy) Iranian state-linked threat actor has conducted sustained cyber espionage operations for over a decade, targeting victims primarily in Iran, with additional infections observed across Europe, Iraq, Turkey, India, and Canada. Recent research reveals a broader operational scale than previously understood, involving multiple parallel campaigns, frequent C2 rotation, and continuous malware development. The group leveraged phishing-based initial access using malicious Excel files to deploy updated variants of Foudre and Tonnerre, including Tonnerre v50, which introduced Telegram-based command-and-control. The malware ecosystem focuses on long-term surveillance, data exfiltration, and selective victim management, demonstrating high operational maturity.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Government Agencies and Services | Verified |
| Sector | Political | Verified |
| Region | Canada | Verified |
| Region | Germany | Medium |
| Region | India | Verified |
| Region | Iran | Verified |
| Region | Iraq | Verified |
| Region | Turkey | Verified |
| Region | United States | Medium |
| Region | European Countries | Verified |
FAQs
Understanding the Prince of Persia APT Campaign
A long-running Iranian APT group known as "Prince of Persia" launched espionage campaigns using evolving malware like Foudre and Tonnerre, targeting users in multiple countries with advanced capabilities including Telegram-based data exfiltration.
The group is linked to the Iranian government and has been active since at least 2007. Their operations are associated with state-sponsored surveillance and espionage goals.
To gather intelligence, exfiltrate sensitive data, and monitor targets—particularly dissidents, diplomats, and critical infrastructure entities.
The attackers used malicious Excel files to trick victims into running malware, established control through dynamic C2 servers, and used encrypted packages for upgrades, commands, or deletions.
Key malware families included Foudre (multiple versions), Tonnerre, MaxPinner (focused on Telegram spying), Amaq News Finder, Rugissement, and Deep Freeze variants.
Telegram is harder to monitor and can bypass traditional firewalls. The group used a Telegram bot and a hidden group as a C2 channel in recent campaigns.
Most victims were in Iran, but others were located in Europe, Iraq, Turkey, India, and Canada. Targets included individuals and organizations deemed sensitive by the regime.
It is a targeted threat, but with global reach. Many C2 servers appeared to be for testing, but operational servers had access to real victim data.
Block suspicious document formats, monitor C2-like domains and Telegram connections, implement DGA detection, and keep forensic tools ready to identify and contain infections early.