Infy, an Iranian state-sponsored cyber espionage group active since 2004, resumed its operations following the lifting of Iran’s internet blackout in January 2026. The group ceased maintaining its C2 servers during the blackout but quickly established new infrastructure coinciding with the restoration of internet access. Infy’s latest malware iteration, Tornado version 51, employs a novel dual-method domain generation algorithm (DGA) that uses blockchain data de-obfuscation alongside traditional DGA to generate C2 domains, enhancing flexibility and resilience without requiring malware updates. The malware communicates with C2 servers over HTTP and via Telegram bot APIs, enabling covert command issuance and data exfiltration. Infy has leveraged a zero-day or one-day WinRAR vulnerability (CVE-2025-8088 or CVE-2025-6218) to deploy a self-extracting archive containing the Tornado backdoor and persistence mechanisms that evade Avast antivirus. The malware installs scheduled tasks for persistence and collects extensive system information, screenshots, and desktop files. Infy’s campaigns have targeted Germany and India, as indicated by VirusTotal uploads, and have included supply chain attacks on the Python Package Index (PyPI) repository using malicious packages to distribute ZZ Stealer, a custom StormKitty infostealer variant. The group’s use of Telegram channels and bots for C2, combined with multi-stage malware deployment and advanced evasion techniques, underscores their operational sophistication. The correlation with other Iranian groups like Charming Kitten suggests shared tactics or overlapping objectives. Infy’s focus remains on espionage, sabotage, and influence aligned with Iranian geopolitical goals, making them a persistent threat to organizations with strategic or political significance.

European organizations face significant risks from Infy’s operations, particularly those involved in critical infrastructure, government, defense, technology, and software supply chains. The use of a WinRAR zero-day to deploy malware increases the attack surface, especially since WinRAR is widely used in Europe. The dual C2 communication channels (HTTP and Telegram) complicate detection and response efforts, potentially allowing prolonged undetected access. The malware’s capability to exfiltrate sensitive data, including system information and files, threatens confidentiality and intellectual property. The targeting of software repositories like PyPI raises concerns about supply chain compromise, which could affect European developers and organizations relying on open-source software. The stealthy and persistent nature of Infy’s operations could lead to espionage, data theft, and disruption of services. Additionally, the geopolitical context and Iran’s strategic interests may increase targeting of European countries with diplomatic or economic ties to Iran or those hosting Iranian diaspora communities. The threat actor’s ability to adapt and evolve tactics suggests ongoing risk and the need for continuous vigilance.

European organizations should implement targeted defenses beyond generic controls. First, promptly apply patches or mitigations for the identified WinRAR vulnerabilities (CVE-2025-8088 and CVE-2025-6218) and monitor for suspicious RAR archive activity, especially self-extracting archives. Employ network monitoring for anomalous HTTP traffic and Telegram API usage, including unusual bot communications or connections to newly registered domains potentially generated by DGAs. Restrict or monitor use of Telegram and similar messaging apps on corporate networks, and consider blocking unauthorized Telegram bot traffic. Enhance endpoint detection and response (EDR) capabilities to identify persistence mechanisms such as scheduled tasks and DLL side-loading. Conduct supply chain security reviews focusing on open-source dependencies, especially PyPI packages, to detect malicious or unauthorized uploads. Use threat intelligence feeds to track Infy-related indicators and update detection rules accordingly. Implement strict application whitelisting and sandboxing for archive extraction and execution. Train security teams to recognize signs of Infy’s multi-stage malware campaigns and conduct regular threat hunting exercises focused on Iranian APT tactics. Finally, collaborate with national cybersecurity agencies for intelligence sharing and incident response support.