top of page
perceptive_background_267k.jpg

Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends

Published:

5 februari 2026 om 10:25:00

Alert date:

5 februari 2026 om 12:01:11

Source:

thehackernews.com

Click to open the original link from this advisory

Ransomware & Malware, Data Breach & Exfiltration, Supply Chain & Dependencies

The Iranian threat group Infy (Prince of Persia) has resumed operations with new command-and-control infrastructure after Iran's internet blackout ended. The group evolved its tactics to hide tracks and stopped maintaining C2 servers on January 8. New C2 infrastructure was established coinciding with the end of the regime-imposed internet blackout at the start of the month.

Technical details

Iranian threat group Infy (aka Prince of Persia) has evolved its tactics and resumed operations with new C2 infrastructure. The group stopped maintaining C2 servers on January 8 during Iran's internet blackout and resumed activity on January 26, 2026. They introduced Tornado version 51 malware that uses both HTTP and Telegram for C2 communication, employing a new DGA algorithm and blockchain data de-obfuscation for C2 domain generation. The attackers weaponized WinRAR vulnerabilities using specially-crafted RAR archives containing AuthFWSnapin.dll (Tornado DLL) and reg7989.dll (installer). The malware establishes HTTP communication to download backdoors and uses Telegram bot API for data exfiltration. ZZ Stealer was also deployed as first-stage malware that collects environmental data, screenshots, and desktop files.

Mitigation steps:

Monitor for specially-crafted RAR archives and WinRAR exploitation attempts. Watch for Telegram bot communications and suspicious scheduled task creation. Check for the presence of AuthFWSnapin.dll and reg7989.dll files. Monitor PyPI packages for malicious uploads. Implement detection rules for the identified Telegram handles and bot communications. Update WinRAR to patch the exploited vulnerabilities.

Affected products:

WinRAR
Avast antivirus
Python Package Index (PyPI)
Windows systems

Related links:

https://www.bbc.com/news/articles/cz7y2ddgl23o
https://www.safebreach.com/blog/prince-of-persia-part-ii/
https://thehackernews.com/2025/12/iranian-infy-apt-resurfaces-with-new.html
https://thehackernews.com/2026/01/google-warns-of-active-exploitation-of.html
https://t.me/Ehsan66442
https://www.forcepoint.com/blog/x-labs/tapping-telegram-bots
https://checkmarx.com/blog/when-the-hunter-becomes-the-hunted/
https://github.com/LimerBoy/StormKitty
https://www.bitsight.com/blog/exfiltration-over-telegram-bots-skidding-infostealer-logs
https://thehackernews.com/2023/04/iranian-hackers-launch-sophisticated.html

Related CVE's:

Related threat actors:

IOC's:

AuthFWSnapin.dll, reg7989.dll, @ttestro1bot, @ehsan8999100, @Ehsan66442, testfiwldsd21233s, سرافراز, 8==3

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page