Headline
Iranian APT ‘Prince of Persia’ Resurfaces With New Tools and Targets
SafeBreach reports the resurgence of the Iranian APT group Prince of Persia (Infy). Discover how these state-sponsored hackers are now using Telegram bots and Thunder and Lightning malware to target victims globally across Europe, India, and Canada.
The elusive Iranian hacking group known as Prince of Persia (also called Infy) is far from retired. Despite appearing to go dark for nearly three years, newly published research from SafeBreach Labs shows the group is not only active but has significantly expanded its reach.
For your information, this group is an Advanced Persistent Threat (APT), a category of state-sponsored hackers that’s linked to the Iranian government and has been quietly targeting diplomats, activists, and critical systems since 2007.
SafeBreach, a breach simulation leader, discovered these hidden activities and shared its investigation with Hackread.com. Their team has tracked the group since 2019, noting they are now “operating at a broader scale, with more advanced tooling than previously understood.”
****From Operation Mermaid to Telegram****
First discovered in 2016, the group gained notoriety for Operation Mermaid, which targeted Danish diplomats. Historically, they have focused on political targets, such as the 2013 Iranian elections and media outlets like BBC Persia, rather than stealing money. After a major shutdown, the group evolved, introducing the Foudre and Tonnerre malware families to regain control of their operations.
A news article in which the hackers had embedded the Foudre v34 (Screenshot: SafeBreach)
One of the most surprising shifts is their move to use Telegram to control malicious software. Further probing revealed they have turned to a private Telegram group named “سرافراز” (meaning Proudly).
Investigating further, SafeBreach researchers identified a specific user profile behind this operation named @ehsan8999100, who was active as recently as December 13, 2025. This operator likely manages a Telegram bot (tga.adr) used to send commands and steal data.
****The Thunder and Lightning Attack****
The group continues to use its signature malware pair, Foudre (lightning) and Tonnerre (thunder), which work in stages. Foudre acts as a “scout,” infecting computers via fake Excel files, like one titled Notable Martyrs.zip, to identify the victim. Tonnerre, on the other hand, is a more powerful tool deployed once a high-value target is found. The latest version, Tonnerre v50, was detected in late 2025.
Researchers noted that the group runs multiple variants in parallel, using specialised code called a Domain Generation Algorithm (DGA) to constantly change their web addresses to avoid being blocked. Other variants, like Amaq News Finder, Deep Freeze, and MaxPinner v8, were also found spying on victims’ Telegram accounts.
An overview of the timeline of the malware development process since 2016 (Credit: SafeBreach Labs)
****Cracking the Attacker’s Code****
It is worth noting that despite the hackers’ efforts to hide, SafeBreach found a way to download the attackers’ own files. By identifying a ‘fixed time gap’ in the server’s file-naming convention, the team was able to access stolen data dating back to 2021.
While the group focuses on Iranian dissidents, victims were found globally in Europe, Iraq, Turkey, India, and Canada. As Tomer Bar, SafeBreach’s VP of Security Research, explained in the blog post, the findings prove that this group remains ‘active, relevant, and dangerous.