One of the oldest advanced persistent threat (APT) actors in the world, Infy (also known as Prince of Persia), has been linked to new activity by threat hunters. Evidence of Infy's early activity dates back to December

2004.

The group's attacks have primarily made use of two malware strains: Foudre, a downloader and victim profiler that installs Tonnerre, a second-stage implant, to retrieve data from valuable computers. According to SafeBreach's analysis of the group's C2 infrastructure, the group consists of two members: a user with the handle "-ehsan8999100" and a Telegram bot ("ttestro1bot") that is probably used to issue commands and gather data. It has targeted people in Canada, Iran, Iraq, Turkey, India, and Europe.

Tonnerre can only be activated for a particular list of victim GUIDs, according to SafeBreach. It's unclear which specific file contains the "allowed machine GUIDS." The revelation coincides with DomainTools' ongoing investigation of Charming Kitten leaks, which has revealed a hacker collective that operates more like a government agency. According to the cybersecurity firm, the threat actor responsible for the Moses Staff persona has also been identified as APT 35, the same administrative system that powers Tehran's ongoing credential-phishing operations.

SafeBreach stated, "Prince of Persia threat actors have done quite the opposite, despite the appearance of having gone dark in

2022." "Our continuous investigation into this widespread and elusive group has revealed important information about their operations, C2 servers, and malware variations.

in the previous three years," the business stated.