Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends

Iranian APT Group Rebuilds C2 Infrastructure Post-Blackout

The elusive Iranian threat group known as Infy (aka Prince of Persia) has evolved its tactics as part of efforts to hide its tracks, even as it readied new command-and-control (C2) infrastructure coinciding with the end of the widespread internet blackout the regime imposed at the start of January 2026.

Key Findings

Security researchers at SafeBreach observed renewed activity on January 26, 2026, as the hacking crew set up new C2 servers, one day before the Iranian government relaxed internet restrictions within the country. This development is significant as it offers concrete evidence that the adversary is state-sponsored and backed by Iran.

Threat Actor Profile: - Active since 2004
- Conducts espionage, sabotage, and influence operations
- Uses "laser-focused" attacks aimed at individuals for intelligence gathering

Advanced Malware Variants

The attackers have replaced the C2 infrastructure for all versions of Foudre and Tonnerre, introducing Tornado version 51 that uses both HTTP and Telegram for C2 communication.

New Attack Vector: - Weaponized 1-day security flaws in WinRAR (CVE-2025-8088 or CVE-2025-6218)
- Self-extracting archives containing malicious DLL files
- Dual payload structure for persistence and execution
- Alternating between HTTP and Telegram-based command channels

Technical Details

Tornado establishes communication with C2 servers over HTTP to download and execute the main backdoor and harvest system information. If Telegram is chosen as the C2 method, Tornado uses the bot API to exfiltrate system data and receive commands.

New variants include:
- ZZ Stealer: Loads custom variant of StormKitty infostealer
- Tornado v51: Employs DGA algorithm for domain generation
- Blockchain de-obfuscation: Uses blockchain data to obfuscate C2 domain names

Related Infrastructure

SafeBreach managed to extract messages from a private Telegram group used for command and control, revealing 118 files and 14 shared links containing encoded commands sent to Tonnerre. An analysis identified:

- Malicious ZIP files dropping ZZ Stealer
- Strong correlation with PyPI package attack campaigns
- Weaker potential correlation with Charming Kitten group

TL;DR

- Iranian Infy APT resumed operations after internet blackout with new C2 infrastructure
- Replaced all Foudre/Tonnerre C2 and introduced Tornado v51 with dual HTTP/Telegram capabilities
- Weaponizing WinRAR zero-days with sophisticated malware payloads for data exfiltration
- Demonstrates state-sponsored persistence and advanced tradecraft in espionage operations

Source: The Hacker News