Dormant Iran APT is Still Alive, Spying on Dissidents

Steven

Dormant Iran APT is Still Alive, Spying on Dissidents

Summary

SafeBreach has published new research revealing that “Prince of Persia” (aka Infy), Iran’s oldest known APT, has remained active for nearly two decades and is still conducting espionage. Once thought largely inactive since 2018, the group has been targeting Iranian citizens and individuals across Iraq, Turkey, India, Europe and Canada using updated versions of its long-standing toolset.

The campaign relies on two custom tools: Foudre (a lightweight first-stage triage implant) and Tonnerre (a heavier espionage backdoor). Both have been upgraded with stealth techniques: Foudre is now delivered inside benign-looking Excel files and implements a domain generation algorithm (DGA) combined with RSA signature verification to harden command-and-control (C2) trust. Tonnerre can retrieve per-victim Telegram API keys from the C2 rather than embedding them, keeping private Telegram groups and exfiltration channels hidden.

Key Points

  • Prince of Persia (Infy) is one of the longest-running APTs, with activity traceable back to 2004 and continuous operations through at least 2022.
  • SafeBreach’s report (author: Tomer Bar) shows the group targets dissidents and individuals across several countries, not only inside Iran.
  • Foudre is a stealthy first-stage implant delivered in Excel that performs triage and can self-destruct when victims are not valuable.
  • Tonnerre handles deeper espionage and can use Telegram for C2; crucially, it pulls API keys from the C2 per victim to avoid leaving forensic artefacts.
  • Foudre uses a weekly DGA plus RSA signature verification: malware only trusts C2 servers that can present a signature decryptable with the embedded public key — the private key remains with the operator in Iran, blocking takedowns or hostile sinkholing.
  • The group adapted after a 2016 sinkhole by improving operational security and architecture; nation-state support (e.g., telecom-level blocking of sinkholes) aided its resilience.

Context and relevance

This work matters because it overturns the assumption that older, quieter APTs are dormant. Prince of Persia demonstrates that long-term persistence, strong operational security and clever cryptographic use can let an actor operate under the radar for years. For defenders and analysts, it shows detection gaps (undetected Excel loaders, per-victim C2 keys) and the limits of takedowns when operators control signing keys and enjoy infrastructure-level protection.

Author style

Punchy: this is not a run-of-the-mill malware update — it’s a reminder that some nation-state actors have invested in longevity and stealth that outsmarts traditional disruption tactics. Read the details if you care about attribution, C2 resilience or protecting dissident communities.

Why should I read this?

Look — if you work in threat intel, defence or handle at-risk users, this short summary saves you rummaging through the report. It flags practical, nasty tech: Excel-delivered implants, per-victim Telegram keys and RSA-signed C2s that make takedowns almost useless. It’s useful, brief and tells you what to hunt for.

Source

Source: https://www.darkreading.com/threat-intelligence/iran-apt-spying-dissidents