Dormant Iran APT is Still Alive, Spying on Dissidents - Dark Reading

THREAT INTELLIGENCE CYBERATTACKS & DATA BREACHES CYBER RISK VULNERABILITIES & THREATS NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific Dormant Iran APT is Still Alive, Spying on Dissidents "Prince of Persia" has rewritten the rules of persistence with advanced operational security and cryptographic communication with its command-and-control server. Nate Nelson,Contributing Writer December 18, 2025 5 Min Read SOURCE: ARCADEIMAGES VIA ALAMY STOCK PHOTO For the first time in more than three years, researchers have new information about Iran's oldest state-level threat group. "Prince of Persia" — also known as "Infy" — isn't just the oldest known Iranian advanced persistent threat (APT). It's one of the oldest APTs in existence, rivalled only by groups like Turla and APT1. A decade ago, when it was first described in cybersecurity literature, researchers found evidence that its activity dated back to December 2004. So why can't you remember the name? In the decade since, while its louder peers OilRig and MuddyWater have been running rampant, Prince of Persia has been conspicuously silent. In 2018, Dark Reading was already describing it as "out of circulation," the last major reporting on it occurred in 2021, and researchers haven't heard a peep from it since 2022. Though it may have seemed like inactivity at the time, it turns out that Prince of Persia went nowhere at all. In a new report, SafeBreach has revealed not only that the group is still around, but that it's been active this whole time. It's been spying on Iranian citizens, mostly, plus individuals across Iraq, Turkey, India, Europe, and Canada, using upgraded versions of its long-known malware families. Related:INC Ransomware Group Holds Healthcare Hostage in Oceania "It is very unique to have fully operational cyberattack infrastructure working for nearly 20 years — it's probably the longest publicly known threat actor who has operated with the same arsenal," says Tomer Bar, the author of the report. "The threat actor has achieved this due to very strong persistence and by using advanced operational security techniques and cryptographic concepts for communication with a [command and control (C2)] server that I have never seen in my 20-plus years of experience." Prince of Persia's Stealthy C2 Prince of Persia has always worked with two primary, custom tools: "Foudre," and "Tonnerre," French for lightning and thunder, respectively. Foudre is a lightweight, first-stage tool that sends basic system information to the attackers' C2 infrastructure. Its new version is delivered as an executable inside of a Microsoft Excel file, which doesn't register at all with any antivirus engine in VirusTotal (VT). The goal of Foudre looks like triage: identifying whether a victim is worth pursuing more deeply. In August 2022, for instance, the researchers saw that after infecting them with Foudre, Prince of Persia separated some of its victims for further espionage, and in the other cases, sent a command for Foudre to self-destruct. By contrast, Tonnerre is the heavier program used for more involved espionage. Related:Chinese Cyber Threat Lurks In Critical Asian Sectors for Years If Foudre and Tonnerre are notable for anything, it's how diligently they protect their C2 channels. For example, the new Tonnerre can also use the Telegram application programming interface (API) to send commands and retrieve victims' data from the comfort of a private Telegram group. On its own, using the private messaging app for C2 isn't so unique — plenty of threat actors do it, by embedding a Telegram API key in their backdoors' code. Prince of Persia stands out for how it doesn't embed any key inside Tonnerre, so there's no relic left behind for researchers to find and use against it. Instead, Bar found that "it pulls the key from the [Tonnerre] C2 only for specific victims, which is significantly more stealthy. It's not [utilized against] all victims in an effort to keep the malware activity and the Telegram group hidden." Even more impressive, perhaps, is how Foudre protects its C2 infrastructure, using RSA signature verification. Bar explains that "the malware code includes a public key and generates 100 domain names of C2 servers each week using a domain generation algorithm (DGA). The malware connects to the first one and downloads a signature file, which is encrypted with a private key by the threat actor. It verifies using RSA verification that the public key is able to decrypt the signature file. If the verification is not successful, the malware won't trust the C2 and continues to the second one on the list," Bar explains. Related:LatAm Now Faces 2x More Cyberattacks Than US It might sound boring, but it's remarkably practical. Let's say, for example, that a cybersecurity researcher somehow figured out how Foudre's DGA works — a feat Bar himself achieved, by recognizing some of its pseudo-random patterns. Even if a researcher like Bar knew what domains the malware was going to communicate with, if he tried to preemptively take control of those domains, "it won’t help, since the malware won't trust this C2 server, and no takedown or victim analysis can be made. This is only possible if you have the private key, which is saved only in Iran. In this way, no one is able to influence the campaign." As a bonus, he adds that exfiltrated files also demand the correct RSA private key, preventing him from analyzing the trove he's been sitting on. Bar marvels that the particular way Foudre uses RSA verification "is something that is common in [non-malicious] domains, but I have never seen it used by a malware — even in campaigns that were attributed to Western nation-state actors. I asked other experienced researchers, and they also said they have never seen it." Iranian Government Support Whether it's DGAs, Telegram, or cryptographic C2 verification, Prince of Persia's efforts to expand beyond traditional, potentially vulnerable command-and-control are best read in the context of its strange history. Palo Alto Networks' Unit 42 was the first to spotlight Prince of Persia's existence, in 2016. Soon after, with intimate knowledge of its infrastructure, the cybersecurity firm doubled down by sinkholing its servers. It no longer had control over its victims, and the researchers gained unprecedented access to its inner workings. In the end, the threat actor was bailed out by a remarkable and largely unprecedented deus ex machina. The state-owned Telecommunication Company of Iran stepped in to help, blocking traffic to Unit 42's sinkholes and redirecting the traffic yet again for the attackers' benefit. "The threat actor learned its lesson well from the 2016 campaign takedown," Bar says. "And it came back with a very secure architecture revealed in 2017 that has been working without any takedown since then." Read more about: DR Global Middle East & Africa About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE Red Hat Hackers Team Up With Scattered Lapsus$ Hunters by Rob Wright OCT 08, 2025 THREAT INTELLIGENCE 45 New Domains Linked to Salt Typhoon, UNC4841 by Elizabeth Montalbano, Contributing Writer SEP 08, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 THREAT INTELLIGENCE Chinese APTs Exploit EDR 'Visibility Gap' for Cyber Espionage by Becky Bracken, Senior Editor, Dark Reading APR 14, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE