Dormant No More: Prince of Persia APT's Sophisticated Espionage Tactics Unveiled in 2025
Executive Summary
In December 2025, security researchers revealed that the dormant Iranian advanced persistent threat (APT) group "Prince of Persia" (also known as "Infy") had remained operational for years, despite perceived inactivity. Leveraging upgraded versions of their Foudre and Tonnerre malware families, the group engaged in persistent cyber espionage targeting Iranian dissidents, as well as individuals in Iraq, Turkey, India, Europe, and Canada. The attackers employed advanced cryptographic techniques for command-and-control (C2) communication—such as RSA signature verification for dynamically generated C2 domains and Telegram-based channels—enabling stealthy, resilient infrastructure and evading traditional detection or takedown efforts. The group’s sophisticated use of operational security, government support, and resilient infrastructure sets it apart from typical regional APTs.
This incident underscores increasing sophistication among state-backed APT groups and highlights modern approaches to persistence and evasion, particularly as threat actors adopt novel uses of cryptography and messaging platforms for infrastructure protection. It warns organizations worldwide to review their readiness against stealthy advanced campaigns that evade known countermeasures.
Why This Matters Now
This case demonstrates the evolving techniques APTs use to avoid detection and takedown, employing cryptographic domain validation and novel C2 channels. As threat actors refine these tactics and target high-risk groups globally, organizations must enhance east-west and encrypted traffic monitoring, advance segmentation policies, and prepare for C2 infrastructures that are resilient to traditional interventions.
Attack Path Analysis
The Prince of Persia APT initiated attacks by delivering a malicious Excel attachment containing a custom loader (Foudre) to target users, establishing initial access. After initial compromise, attackers assessed victim suitability and deployed a secondary tool (Tonnerre) for deeper access and ensured persistence. They likely pivoted across internal systems, leveraging evasion and segmentation gaps for further reach. Command and control were stealthily maintained using encrypted channels, Telegram API, and obfuscated infrastructure (DGA, RSA validation). Sensitive data was exfiltrated over these channels, before attackers covered tracks and sustained long-term espionage while minimizing disruption.
Kill Chain Progression
Initial Compromise
Description
A malicious Excel file was sent to targets, with embedded Foudre malware bypassing AV controls to establish implant presence via phishing.
Related CVEs
CVE-2018-13379
CVSS 9.8A path traversal vulnerability in Fortinet FortiOS SSL VPN web portal allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests.
Affected Products:
Fortinet FortiOS – 5.6.0 to 5.6.7, 6.0.0 to 6.0.4
Exploit Status:
exploited in the wildCVE-2021-34473
CVSS 9.8A remote code execution vulnerability exists in Microsoft Exchange Server due to improper handling of objects in memory.
Affected Products:
Microsoft Exchange Server – 2013 CU23, 2016 CU19 and CU20, 2019 CU8 and CU9
Exploit Status:
exploited in the wildCVE-2023-27350
CVSS 9.8An improper access control vulnerability in PaperCut MF/NG allows an unauthenticated attacker to bypass authentication and execute arbitrary code with SYSTEM privileges.
Affected Products:
PaperCut PaperCut MF/NG – 21.2.0 to 21.2.8, 22.0.0 to 22.0.3
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing: Spearphishing Attachment
User Execution: Malicious File
Command and Scripting Interpreter
Non-Application Layer Protocol
Fallback Channels
Exfiltration Over C2 Channel
Hidden Files and Directories
Obfuscated Files or Information
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Review Logs and Security Events
Control ID: 10.6.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 12
CISA ZTMM 2.0 – Continuous Monitoring and Analytics
Control ID: 2.10
NIS2 Directive – Incident Detection and Response
Control ID: Article 21(2)(e)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Iran's Prince of Persia APT targeting dissidents creates severe risks for government systems requiring enhanced encrypted traffic monitoring and zero trust segmentation.
Civic/Social Organization
Iranian dissident surveillance campaigns expose civil organizations to advanced persistent threats requiring robust egress security and anomaly detection for activist protection.
Telecommunications
State-owned Telecommunication Company of Iran's infrastructure manipulation demonstrates critical need for secure hybrid connectivity and multicloud visibility in telecom operations.
Computer/Network Security
Advanced RSA verification and cryptographic C2 techniques challenge cybersecurity firms requiring enhanced threat detection capabilities and inline IPS deployment strategies.
Sources
- Dormant Iran APT is Still Alive, Spying on Dissidentshttps://www.darkreading.com/threat-intelligence/iran-apt-spying-dissidentsVerified
- Iranian APT ‘Prince of Persia’ is back with three new malware strainshttps://www.scworld.com/news/iranian-apt-prince-of-persia-evolves-deploys-three-new-malware-strainsVerified
- Iranian Infy APT Resurfaces with New Malware Activity After Years of Silencehttps://thehackernews.com/2025/12/iranian-infy-apt-resurfaces-with-new.htmlVerified
- Iranian APT Prince of Persia returns with new malware and C2 infrastructurehttps://www.csoonline.com/article/4109985/iranian-apt-prince-of-persia-returns-with-new-malware-and-c2-infrastructure.htmlVerified
- Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activitieshttps://www.cyber.gov.au/about-us/advisories/iranian-government-sponsored-apt-cyber-actors-exploiting-microsoft-exchange-and-fortinet-vulnerabilities-furtherance-malicious-activitiesVerified
- Papercut Vulnerability Exploited by Iranian APT Groupshttps://www.ncsc.gov.bh/assets/images/Advisory_Papercut_Vulnerability_Exploited_by_Iranian_APT_Groups_e31e277d16.pdfVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying cloud-native Zero Trust segmentation, egress policy enforcement, and encrypted traffic visibility would have limited attacker movement, blocked C2 communications, and exposed anomalous exfiltration attempts. Network microsegmentation and centralized anomaly detection could have disrupted the kill chain before attackers achieved persistence or data theft.
Control: Threat Detection & Anomaly Response
Mitigation: Detection of anomalous file execution and initial access behaviors.
Control: Zero Trust Segmentation
Mitigation: Limits malware’s ability to escalate and access sensitive resources.
Control: East-West Traffic Security
Mitigation: Prevents or alerts on unauthorized lateral movement between workloads.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks or detects unauthorized external connections to unapproved domains and C2 channels.
Control: Encrypted Traffic (HPE) & Egress Security
Mitigation: Detects and limits data exfiltration through encrypted traffic monitoring and egress controls.
Early anomaly visibility and policy auditability reduce dwell time and enable faster disruption.
Impact at a Glance
Affected Business Functions
- Communications
- Data Management
- IT Operations
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive communications, personal data, and intellectual property due to unauthorized access and data exfiltration by the Prince of Persia APT group.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust segmentation across all cloud and hybrid workloads to restrict lateral movement opportunities.
- • Activate and tune egress filtering policies to detect and block unauthorized external connections and encrypted C2 channels.
- • Deploy real-time threat detection and anomaly response tools to identify suspicious process and network behaviors.
- • Implement microsegmentation for east-west traffic and workload isolation to contain privilege escalation.
- • Enhance centralized visibility and automated policy enforcement to rapidly detect, respond, and remediate advanced threats.
