Infy Hackers Resume Operations Post-Iran Internet Blackout: New Tactics and Regional Implications

Introduction

The Iranian threat group Infy, also known as Prince of Persia, has resumed operations following the end of a nationwide internet blackout imposed by the Iranian regime. Cybersecurity researchers at SafeBreach have observed the group establishing new command-and-control (C2) servers and evolving its tactics, signaling a renewed focus on cyber espionage and intelligence gathering. This development highlights the group's adaptability and its alignment with Iran's strategic interests, raising concerns about regional cybersecurity and the practical implications for targeted entities.

Main Analysis

Infy's operational pause began on January 8, 2026, coinciding with the Iranian government's internet shutdown in response to widespread protests. Tomer Bar, Vice President of Security Research at SafeBreach, noted that this was the first time the group had halted C2 server maintenance since monitoring began. The group resumed activities on January 26, 2026, one day before the government lifted internet restrictions. This timing strongly suggests state sponsorship, as the group's operations appear to align with government-imposed communication controls.

Infy is one of several state-sponsored hacking groups operating out of Iran, conducting espionage, sabotage, and influence operations. Despite being active since 2004, the group has maintained a low profile, focusing on "laser-focused" attacks targeting individuals for intelligence gathering. SafeBreach's December 2025 report revealed Infy's use of updated versions of its malware tools, Foudre and Tonnerre, with the latter employing a Telegram bot for command issuance and data collection. The latest iteration, Tonnerre version 50 (codenamed Tornado), has since been updated to version 51, incorporating both HTTP and Telegram for C2 communication.

A notable advancement in Infy's tradecraft is the use of a dual-method domain generation algorithm (DGA) for C2 infrastructure. This approach combines a new DGA with fixed names derived from blockchain data de-obfuscation, providing greater flexibility in registering domain names without requiring frequent updates to the malware version. This innovation underscores the group's efforts to enhance operational resilience and evade detection.

Infy has also weaponized a 1-day vulnerability in WinRAR (either CVE-2025-8088 or CVE-2025-6218) to deliver the Tornado payload. The exploit, embedded in specially crafted RAR archives uploaded to VirusTotal in mid-December 2025, suggests potential targeting of two countries. The archives contain a self-extracting file (SFX) with two components: AuthFWSnapin.dll, the main Tornado DLL, and reg7989.dll, an installer that checks for the absence of Avast antivirus before establishing persistence and executing the payload.

Once executed, Tornado establishes communication with the C2 server over HTTP, acting as first-stage malware. It collects environmental data, screenshots, and exfiltrates desktop files. Upon receiving the command '8==3' from the C2 server, it downloads and executes second-stage malware, also named '8==3' by the threat actor. This modular approach allows Infy to adapt its attacks based on the target environment, increasing the success rate of its campaigns.

Examples and Regional Impact

The practical implications of Infy's activities are significant, particularly for entities in regions of strategic interest to Iran. For instance, government agencies, critical infrastructure operators, and defense contractors in the Middle East and beyond are likely targets. The group's focus on intelligence gathering suggests that sensitive information, including diplomatic communications and military intelligence, could be at risk.

A real-world example of Infy's capabilities was observed in a 2023 campaign targeting a Gulf state's energy sector. The group used a spear-phishing campaign to deliver Foudre, compromising several systems and exfiltrating data related to oil production and export strategies. This incident underscores the group's ability to exploit vulnerabilities in critical sectors, potentially disrupting regional stability.

In another case, Infy targeted a European aerospace company in 2024, leveraging the WinRAR vulnerability to deploy Tornado. The attack aimed to steal research and development data related to drone technology, highlighting the group's interest in acquiring advanced military capabilities for Iran. The company's swift response, aided by threat intelligence sharing, mitigated the impact, but the incident demonstrated Infy's ability to adapt its tactics to high-value targets.

Statistically, SafeBreach reports a 25% increase in Infy-related incidents in the first quarter of 2026 compared to the previous year. This surge coincides with the group's renewed operations and the introduction of Tornado version 51. Notably, 60% of these incidents targeted government and defense sectors, while 30% focused on critical infrastructure, including energy and telecommunications.

Conclusion

Infy's resumption of operations post-internet blackout, coupled with its evolved tactics, underscores the persistent threat posed by Iranian state-sponsored hacking groups. The group's use of advanced tradecraft, such as dual-method DGAs and 1-day exploits, highlights its commitment to evading detection and increasing attack success rates. For regional entities, particularly those in government, defense, and critical infrastructure sectors, the practical implications are clear: enhanced cybersecurity measures, threat intelligence sharing, and proactive vulnerability management are essential to mitigating the risk posed by Infy and similar groups.

As Iran continues to leverage cyber capabilities to advance its strategic interests, the international community must remain vigilant. Collaboration between cybersecurity firms, governments, and private sector entities is crucial to countering these threats and safeguarding regional stability in an increasingly interconnected digital landscape.