Executive Summary
In early 2026, the Iranian state-sponsored Advanced Persistent Threat (APT) group known as Infy, or 'Prince of Persia,' resumed operations following a period of inactivity during Iran's internet blackout in January. The group deployed updated versions of their malware tools, Foudre and Tonnerre, to target entities across Iran, Iraq, Turkey, India, Canada, and Europe. Notably, Infy utilized a new command-and-control (C2) infrastructure, incorporating both HTTP and Telegram for communication, and exploited a 1-day vulnerability in WinRAR to deliver their payloads. This resurgence underscores Infy's continued commitment to cyber espionage activities aligned with Tehran's strategic interests. (thehackernews.com)
The re-emergence of Infy highlights the persistent threat posed by state-sponsored cyber actors who continuously evolve their tactics to evade detection. Organizations, especially those in the targeted regions, must remain vigilant and enhance their cybersecurity measures to defend against such sophisticated threats.
Why This Matters Now
The resurgence of Infy demonstrates the ongoing and evolving threat of state-sponsored cyber espionage. Organizations must prioritize robust cybersecurity strategies to mitigate risks associated with such advanced persistent threats.
Attack Path Analysis
The Infy APT group initiated their attack by exploiting a WinRAR vulnerability (CVE-2025-8088) to deliver a malicious RAR archive via spear-phishing emails, leading to the execution of the Tornado malware. Upon execution, Tornado established persistence by creating a scheduled task, ensuring it remained active on the compromised system. The malware then moved laterally within the network, potentially exploiting other vulnerabilities or misconfigurations to access additional systems. For command and control, Tornado utilized both HTTP and Telegram channels to communicate with its C2 servers, allowing the attackers to issue commands and exfiltrate data. Sensitive information was exfiltrated through these channels, providing the attackers with valuable intelligence. The impact of the attack included unauthorized access to confidential data and potential disruption of operations.
Kill Chain Progression
Initial Compromise
Description
The Infy APT group exploited a WinRAR vulnerability (CVE-2025-8088) to deliver a malicious RAR archive via spear-phishing emails, leading to the execution of the Tornado malware.
Related CVEs
CVE-2025-8088
CVSS 8.8A path traversal vulnerability in WinRAR allows attackers to execute arbitrary code via crafted archive files.
Affected Products:
RARLAB WinRAR – < 6.02
Exploit Status:
exploited in the wildCVE-2025-6218
CVSS 7.8A directory traversal vulnerability in WinRAR allows remote attackers to execute arbitrary code via crafted archive files.
Affected Products:
RARLAB WinRAR – < 6.02
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing: Spearphishing Attachment
Exploitation for Client Execution
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Application Layer Protocol: Web Protocols
Application Layer Protocol: Mail Protocols
Data from Local System
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Hide Artifacts: Hidden Window
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity Management and Access Control
Control ID: Pillar 1: Identity
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Iranian state-sponsored Infy APT targets government entities with WinRAR exploits, Telegram C2 channels, and advanced evasion tactics for intelligence gathering operations.
Information Technology/IT
IT infrastructure faces lateral movement risks through unencrypted traffic, compromised Python packages, and weaponized 1-day vulnerabilities requiring zero trust segmentation controls.
Financial Services
Banking systems vulnerable to APT lateral movement and data exfiltration via encrypted channels, requiring enhanced egress filtering and PCI compliance controls.
Telecommunications
Critical infrastructure exposed to state-sponsored espionage through C2 communications, encrypted traffic manipulation, and east-west traffic security gaps requiring immediate hardening.
Sources
- Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Endshttps://thehackernews.com/2026/02/infy-hackers-resume-operations-with-new.htmlVerified
- An Update on the Prince of Persia Threat Actorhttps://www.safebreach.com/blog/prince-of-persia-part-ii/Verified
- CVE-2025-8088 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-8088Verified
- CVE-2025-6218 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-6218Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix Zero Trust CNSF may not prevent the initial execution of malware delivered via spear-phishing, it could limit the malware's ability to communicate with external command and control servers.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust CNSF could limit the malware's ability to escalate privileges by enforcing strict access controls and segmentation, thereby reducing the attacker's ability to gain higher-level access.
Control: East-West Traffic Security
Mitigation: Aviatrix Zero Trust CNSF could limit the malware's ability to move laterally by enforcing strict segmentation and monitoring east-west traffic, thereby reducing the attacker's ability to access additional systems.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Zero Trust CNSF could limit the malware's ability to establish command and control channels by monitoring and controlling outbound communications, thereby reducing the attacker's ability to issue commands and exfiltrate data.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Zero Trust CNSF could limit the exfiltration of sensitive data by enforcing strict egress policies and monitoring outbound traffic, thereby reducing the attacker's ability to transmit data externally.
Aviatrix Zero Trust CNSF could limit the overall impact of the attack by reducing the attacker's ability to access and exfiltrate sensitive data, thereby minimizing unauthorized access and operational disruptions.
Impact at a Glance
Affected Business Functions
- n/a
Estimated downtime: N/A
Estimated loss: N/A
n/a
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement within the network, limiting the spread of malware.
- • Deploy Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to suspicious activities promptly.
- • Ensure all software, including WinRAR, is regularly updated to mitigate known vulnerabilities.
- • Educate employees on recognizing and reporting phishing attempts to reduce the risk of initial compromise.
