Iranian Infy APT Returns: 2025 Malware Campaign Exposes New Espionage Threats
Executive Summary
In December 2025, the Iranian nation-state APT group known as Infy ("Prince of Persia") resurfaced after years of dormancy, launching a covert cyber espionage campaign using upgraded versions of its Foudre and Tonnerre malware. The attack targeted high-value individuals and organizations across Iran, Iraq, Turkey, India, Canada, and several European countries. Entry was achieved primarily via malicious Excel attachments in phishing campaigns, enabling long-term surveillance, data exfiltration, and direct access to encrypted communications such as Telegram chats. The attackers employed advanced tactics such as a Domain Generation Algorithm for resilient C2, RSA-based C2 validation, and selective victim targeting to remain undetected and persist in victim environments.
The Infy resurgence illuminates how persistent APT actors adapt tools and methods for stealth operations, leveraging social engineering and technical innovation. This case illustrates the increasing threat of highly-targeted, identity-driven espionage attacks that undermine both personal privacy and organizational security.
Why This Matters Now
This incident underscores the continued evolution and resilience of nation-state actors, who are leveraging adaptive malware, cloud-based C2, and targeted social engineering. As organizations accelerate zero trust initiatives and data privacy remains a global concern, persistent threats like Infy's campaign highlight urgent gaps in endpoint, lateral movement, and encrypted traffic monitoring.
Attack Path Analysis
The Infy APT group initiated its attack via spear-phishing emails containing malicious macro-laced Excel documents, delivering the Foudre downloader onto victim endpoints. Upon initial access, the malware established persistence and potentially leveraged application or local privilege escalation to maintain control. Using the implanted malware, attackers conducted lateral movement by profiling infected systems for value, possibly exploring internal workloads or accesses. The malware then set up resilient command-and-control channels using custom DGAs and fallback on Telegram for instructions and exfiltrated data transfer. Sensitive files and communications were exfiltrated in encrypted form via HTTPs and Telegram, relying on authenticated GUIDs and indirect delivery to the C2. While overt impact was minimized for stealth, the campaign resulted in significant loss of sensitive data and long-term victim monitoring.
Kill Chain Progression
Initial Compromise
Description
Attackers sent targeted phishing emails embedding malicious Excel documents, which, when opened by victims, executed the Foudre malware downloader.
Related CVEs
CVE-2017-0199
CVSS 7.8Microsoft Office Remote Code Execution Vulnerability
Affected Products:
Microsoft Office – 2010 SP2, 2013 SP1, 2016
Exploit Status:
exploited in the wildCVE-2017-11882
CVSS 7.8Microsoft Office Memory Corruption Vulnerability
Affected Products:
Microsoft Office – 2007 SP3, 2010 SP2, 2013 SP1, 2016
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing: Spearphishing Attachment
User Execution: Malicious File
Command and Scripting Interpreter
Ingress Tool Transfer
Obfuscated Files or Information
Non-Application Layer Protocol
Application Layer Protocol: Web Protocols
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – Monitor and Log Access to System Components
Control ID: 10.2.5
CISA Zero Trust Maturity Model 2.0 – Phishing Resistance and Strong Authentication
Control ID: Identity Pillar
DORA (Digital Operational Resilience Act) – ICT Security and Data Breaches
Control ID: Art. 6(2)
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: Section 500.03
NIS2 Directive – Detection and Response Capabilities
Control ID: Article 21(2)(d)
GDPR – Security of Processing
Control ID: Article 32
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Iranian Infy APT's cyber espionage targeting dissidents and academics poses significant threats to government communications, requiring enhanced east-west traffic security and zero trust segmentation.
Higher Education/Acadamia
Academic institutions face targeted surveillance risks from Prince of Persia APT's long-term espionage campaigns, necessitating improved threat detection and encrypted traffic protection capabilities.
Telecommunications
Telecom infrastructure vulnerable to Iranian APT's Telegram-based command and control operations, requiring multicloud visibility, egress security enforcement, and inline intrusion prevention systems.
Information Technology/IT
IT sector at high risk from sophisticated malware variants using domain generation algorithms and RSA validation, demanding cloud native security fabric and anomaly detection capabilities.
Sources
- Iranian Infy APT Resurfaces with New Malware Activity After Years of Silencehttps://thehackernews.com/2025/12/iranian-infy-apt-resurfaces-with-new.htmlVerified
- Breaking Foudre Domain Generation Algorithm and Discovering Tonnerre Latest Active Versionhttps://www.safebreach.com/blog/breaking-foudre-domain-generation-algorithm-and-discovering-tonnerre-latest-active-version/Verified
- Unmasking the Evolving Iranian Prince of Persiahttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Comprehensive zero trust controls—such as segmentation, east-west monitoring, inline detection, and egress enforcement—could have disrupted Infy’s attack progression by restricting malware movement, promptly flagging anomalous C2 behaviors, and preventing covert exfiltration. CNSF-aligned protections would reduce attack surface, limit exploit scope, and increase detection and response speed across hybrid and cloud-native infrastructures.
Control: Threat Detection & Anomaly Response
Mitigation: Anomalous file downloads or macro execution triggers immediate alerts for incident response.
Control: Zero Trust Segmentation
Mitigation: Malware’s ability to escalate privileges is constrained by least-privilege policy and microsegmentation.
Control: East-West Traffic Security
Mitigation: Suspicious workload-to-workload and service-to-service communications are detected and blocked.
Control: Cloud Firewall (ACF)
Mitigation: Outbound connections to unauthorized domains or DGA-based C2 endpoints are blocked; suspicious Telegram C2 traffic is detected.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound data flows to unapproved destinations are blocked and monitored for anomalies.
Full-stack activity monitoring aids rapid detection of compromise and limits dwell time.
Impact at a Glance
Affected Business Functions
- Communications
- Research and Development
- Government Operations
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive communications, intellectual property, and government documents due to prolonged surveillance and data exfiltration activities.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation and least privilege policies to limit malware’s lateral reach and privileged actions.
- • Enforce strict egress control and FQDN/URL filtering to disrupt command-and-control and exfiltration attempts, including unconventional APIs like Telegram.
- • Deploy inline threat detection, anomaly response, and baselining to catch suspicious attachments, macros, and behavioral outliers early in the attack.
- • Enhance east-west traffic visibility and microsegmentation, especially in multicloud and hybrid networks, to identify and block covert reconnaissance and movement.
- • Centralize policy management and automate incident response workflows using Cloud Native Security Fabric for rapid containment of high-value threat actors.
