Infy, also known as Prince of Persia, is an Iranian advanced persistent threat (APT) actor with activity dating back to 2004. After a near five-year silence, Infy has re-emerged with updated malware campaigns involving two primary malware families: Foudre and Tonnerre. Foudre acts as a downloader and victim profiler, typically delivered via phishing emails containing Microsoft Excel files that now embed executables rather than relying solely on macros. Tonnerre is a second-stage implant designed to extract data from high-value targets. The group’s command-and-control (C2) infrastructure is highly resilient, employing a domain generation algorithm (DGA) to evade takedown efforts and using RSA signature files to validate authentic C2 domains. This cryptographic validation ensures that malware only communicates with legitimate C2 servers controlled by the threat actor. The latest Tonnerre versions include mechanisms to communicate with a Telegram group, leveraging messaging platforms for covert command and control. Infy’s campaigns have targeted countries across the Middle East, South Asia, North America, and Europe, with prior known victims in Sweden, the Netherlands, and Turkey. The group’s malware variants have evolved over time, including versions camouflaged as news finders or trojans spying on Telegram content. The threat actor’s operational security and use of layered malware components demonstrate a sophisticated espionage capability focused on credential theft, data exfiltration, and long-term persistence. SafeBreach’s research highlights that Infy remains active and dangerous, with a broader scale of operations than previously understood. The group’s use of phishing with embedded executables, DGA-based C2, and Telegram integration complicates detection and mitigation efforts.

For European organizations, especially those in Sweden and the Netherlands, the resurgence of Infy poses significant risks to confidentiality and integrity of sensitive data. The malware’s ability to profile victims and exfiltrate data from high-value machines threatens intellectual property, government secrets, and critical infrastructure information. The use of phishing emails with embedded executables increases the likelihood of initial compromise, particularly in organizations with insufficient email security or user awareness. The sophisticated C2 infrastructure with DGA and RSA validation complicates network detection and takedown efforts, potentially allowing prolonged undetected access. The integration of Telegram for command and control adds a layer of stealth and resilience, making incident response more challenging. The broad geographic targeting suggests potential spillover effects to European allies and partners, increasing the risk of espionage and data breaches. Disruption to availability is less emphasized but cannot be ruled out given the malware’s implant capabilities. Overall, the threat could lead to significant operational, reputational, and regulatory impacts for affected European entities.

European organizations should implement multi-layered phishing defenses, including advanced email filtering that detects embedded executables and suspicious Excel files. User training should emphasize the risks of opening unexpected attachments, especially those with embedded executables rather than macros. Endpoint detection and response (EDR) solutions must be tuned to identify behaviors associated with Foudre and Tonnerre malware, such as unusual network connections to DGA-generated domains and attempts to download RSA signature files. Network monitoring should include detection of anomalous DNS queries indicative of DGA activity and traffic to Telegram-related endpoints. Incident response teams should develop playbooks for investigating potential Infy infections, including forensic analysis of Excel files and C2 communication patterns. Organizations should consider threat intelligence sharing with peers and national cybersecurity centers to track evolving Infy indicators. Restricting or monitoring use of Telegram and similar messaging apps on corporate networks may reduce C2 channel effectiveness. Regular patching and minimizing attack surface by disabling unnecessary macros and executable content in documents will further reduce risk. Finally, organizations should conduct red team exercises simulating Infy tactics to validate detection and response capabilities.