Prince of Persia APT Analysis: Infy, Foudre, and Tonnerre Malware

Prince of Persia has operated as a persistent cyber-espionage threat since 2007, primarily focusing on surveillance targets ranging from Jundallah-linked news sites to Persian media outlets, including BBC Persian, during the 2013 Iranian presidential elections. Despite a major disruption in 2016 when Palo Alto Networks Unit 42 exposed their activities and neutralized the Infy malware infrastructure [1], the group demonstrated significant resilience by resurfacing with the Foudre malware family. They have since continued to evolve their arsenal, introducing the high-value implant Tonnerre and the Telegram-focused MaxPinner, while recent 2025 updates to Tonnerre utilizing Telegram for command and control highlight their ongoing adaptation and refusal to be deterred by defensive takedowns.

The group employs a sophisticated array of tactics, techniques, and procedures rooted in social engineering and stealthy persistence. They primarily gain initial access through spear-phishing campaigns utilizing malicious attachments with embedded macros or links, as well as drive-by compromises that exploit specific vulnerabilities. Once inside, they use Visual Basic scripting and native APIs to execute payloads, establish persistence by creating Windows services, and evade defense mechanisms through masquerading, self-extracting archives, and dynamic domain generation algorithms. Their operations further involve extensive discovery to harvest credentials via keyloggers and browser theft, alongside the collection of audio, screenshots, and sensitive files which are exfiltrated using web services like Telegram bots.

In this blog post, we will explore the major historical operations of the Prince of Persia, highlight their notable campaigns against political and civil society targets, and examine the group's tactics, techniques, and procedures to understand how they conduct persistent cyber-espionage. In the end, we will show how Picus Platform helps defend against this group.

Simulate APT Attacks with 14-Day Free Trial of Picus Platform

What Are the Major Activities of the Prince of Persia Group?

• 2007 – Prince of Persia began its initial cyber-espionage operations, establishing a long-standing campaign primarily focused on surveillance rather than destruction or financial gain.
• 2010 – Prince of Persia compromised two news websites linked to Jundallah, exploiting ActiveX vulnerabilities to infect site visitors.
• 2013 – Activity intensified around the Iranian presidential elections with focused targeting of Persian media outlets, including BBC Persian, followed by attacks on civil society members.
• May–June 2016 – Palo Alto Networks Unit 42 exposed a decade-long espionage campaign by Prince of Persia utilizing the Infy malware, leading to a coordinated sinkhole operation that severed the group's access to its victims; although Prince of Persia attempted to regain control in early June by deploying a new malware update (Infy "M" version 8.0), the campaign was definitively neutralized by mid-June when researchers successfully null-routed the remaining command-and-control domains.
• August 2017 – The group resurfaced with a new malware family called "Foudre" (French for lightning), marking a renewed operational phase.
• 2018 – Prince of Persia introduced "Tonnerre" (French for thunder), a secondary implant designed to extract data from high-value systems that had been profiled by Foudre.
• March 2021 – The group developed version 8 of "MaxPinner," a malware family focused on spying on Telegram content.
• August 2022 – Prince of Persia was observed issuing commands to delete Foudre from some victim machines while migrating others to a new Command and Control (C2) server.
• September 2025 – The recent version of Tonnerre (version 50) was detected, featuring a mechanism to redirect communications through a Telegram group [2].

Which MITRE ATT&CK Techniques Are Used by Prince of Persia?

Tactic: Reconnaissance

T1589.002 Gather Victim Identity Information: Email Addresses

Prince of Persia targeted specific individuals and organizations, utilizing gathered email addresses to facilitate spear-phishing campaigns. For instance, the actor targeted an Israeli industrial organization using a compromised Israeli Gmail account [3].

T1598.002 Phishing for Information: Spearphishing Attachment

The threat actor sent emails containing malicious documents to specific victims to initiate the compromise. These emails were tailored to the targets, such as sending a document named "request.docx" to an Israeli organization [3].

Tactic: Initial Access

T1189 Drive-by Compromise

The threat actor compromised news websites to exploit visitors. Specifically, they compromised two websites related to Jundallah and exploited ActiveX vulnerabilities to attack visitors [4].

T1566.001 Phishing: Spearphishing Attachment

Prince of Persia frequently initiated attacks via spear-phishing emails containing malicious attachments. These attachments included Microsoft PowerPoint files (e.g., "thanks.pps", "syria.pps"), Word documents (e.g., "request.docx", "hello.docx"), and Excel files containing malicious macros. One campaign involved a ZIP file named شهدای شاخص .zip (Notable Martyrs.zip) containing an Excel file with an embedded executable [3].

T1566.002 Phishing: Spearphishing Link

In some campaigns, the emails social engineered the recipient into clicking a link that appeared to be a video but actually started the initial access process.

Tactic: Execution

T1059.005 Command and Scripting Interpreter: Visual Basic

Malicious Excel documents contained macros to drop and execute payloads.

This VBA macro serves as a stealthy "dropper" designed to extract a hidden malicious file from an Excel spreadsheet and plant it on the victim's computer. The script copies a malicious executable embedded directly in the spreadsheet to the system clipboard, pauses for three seconds to allow the data to buffer, and uses a Windows Shell command to programmatically paste the file into the targeted folder.

T1106 Native API

The Infy malware made direct calls to Windows APIs, such as GetFileAttributesA to check for antivirus directories, GetMessageA, TranslateMessage, and DispatchMessageA for keylogging, and CreateIoCompletionPort for file monitoring.

T1204.002 User Execution: Malicious File

In a Prince of Persia attack, the group relied on users opening malicious attachments. For instance, in some PowerPoint files, users were tricked into clicking a 'Run' button on a slide mimicking a paused movie to execute an embedded self-extracting executable (SFX).

Tactic: Persistence

T1543.003 Create or Modify System Process: Windows Service

The Infy malware installed itself as a service. It created and started services, sometimes using the /s parameter on Windows Vista and later versions. It also cleaned up previous services like "inverse Ser32", "grep", and "hcrtf" to delete any prior Infy installations.

Tactic: Defense Evasion

T1027 Obfuscated Files or Information

The group used Self-Extracting Archives (SFX) to conceal payloads. These archives were often password-protected and contained the malware components.

The group also used custom encoding for strings.

T1036.005 Masquerading: Match Legitimate Resource Name or Location

The malware disguised its files using names of legitimate software or system files. Observed filenames included "Cyberlink" with a description of "CLMediaLibrary Dynamic Link Library", "Borland hcrtf", "Macromedia Swsoc", and "SnailDriver" [3] [5].

T1140 Deobfuscate/Decode Files or Information

The malware decoded strings and payloads at runtime. It verified C2 servers by downloading a signature file, decrypting it with an embedded public key, and comparing it to a local validation file [5].

T1070.010 Indicator Removal: Relocate Malware

In a Prince of Persia APT campaign, threat actors utilize a Self-Extracting Archive (SFX) file to initiate a cleanup routine that terminates the running Foudre process and immediately renames the underlying executable, thereby disabling its persistence mechanism to prevent the malware from reloading after an Operating System restart.

T1218.011 System Binary Proxy Execution: Rundll32

The malware used rundll32.exe to execute its malicious DLLs.

T1497.001 Virtualization/Sandbox Evasion: System Checks

Tonnerre malware checked for the presence of "Deep Freeze" software (process dfserv.exe). If found, the malware would exit immediately to avoid analysis or interference [6].

Tactic: Credential Access

T1056.001 Input Capture: Keylogging

Prince of Persia initiated a keylogger that captured user keystrokes. This was often managed via a hidden window that processed GetMessageA and DispatchMessageA calls [3].

T1555.003 Credentials from Password Stores: Credentials from Web Browsers

The Infy malware stole browser passwords, forms, cookies, and history from major browsers, including Microsoft Edge, Internet Explorer, Google Chrome, Opera, and Firefox.

Tactic: Discovery

T1012 Query Registry

The Infy malware queried the registry to obtain the machine GUID.

T1082 System Information Discovery

Prince of Persia collected environment data, including computer name, user name, and OS version (identified by 32/64 bit).

T1518.001 Software Discovery: Security Software Discovery

To determine if defensive measures are present on the host system, the Infy malware initiates a scan for security applications after execution. It cycles through a predefined list of paths associated with popular antivirus vendors and employs the Windows API function GetFileAttributesA. By validating if these paths exist and possess the FILE_ATTRIBUTE_DIRECTORY flag, the malware confirms the presence of AV software [3].

Tactic: Collection

T1005 Data from Local System

The malware collected files from specific directories, including user directories (Downloads, Pictures, Contacts) and the "Recent Items" folder. It also targeted extensions like .doc, .xls, .jpg, .jpe, .txt, .htm, .pgp, .pdf, .zip, and .rar [3].

T1074.001 Data Staged: Local Data Staging

Collected files were compressed into ZIP or RAR archives and stored in temporary folders before exfiltration [3].

T1113 Screen Capture

Some malware developed by the group captured screenshots of the victim's desktop, saving them as .psf or .tmp files before uploading.

T1115 Clipboard Data

The Foudre malware captured clipboard data on a ten-second cycle.

T1123 Audio Capture

Prince of Persia recorded sound and compressed it using the lame.exe command line tool.

Tactic: Command and Control

T1102 Web Service

Recent Tonnerre variants utilized a Telegram bot to send commands and receive exfiltrated data. The malware communicated with a Telegram group named "سرافراز" (Sarafraz) [2].

T1568.002 Dynamic Resolution: Domain Generation Algorithms

Malwares developed by Prince of Persia use DGAs to evade detection and takedowns by dynamically generating Command and Control (C2) domains based on time-based seeds (year, month, week) and unique prefixes, often employing RSA signatures to verify the server's authenticity before establishing a connection [2] [5].

How Picus Simulates Prince of Persia Group Attacks?

We also strongly suggest simulating Prince of Persia Group Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other threat groups within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for the Prince of Persia Group:

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.

What Are the Aliases of the Prince of Persia Group?

Prince of Persia is also known as: Infy, Foudre, Operation Mermaid, APT-C-07.

Key Takeaways

• Prince of Persia has operated as a persistent cyber-espionage threat since 2007, focusing on surveillance of political targets and Persian media outlets rather than financial gain or destruction.
• The group demonstrates significant resilience, resurfacing after a major 2016 infrastructure takedown with evolved malware families like Foudre, Tonnerre, and the Telegram-focused MaxPinner.
• Attackers primarily gain initial access through spear-phishing campaigns utilizing malicious attachments with embedded macros and drive-by compromises that exploit vulnerabilities on legitimate websites.
• Operational tactics include using Visual Basic scripting for execution, creating Windows services for persistence, and employing dynamic domain generation algorithms to evade detection.
• Recent 2025 updates to the Tonnerre implant highlight ongoing adaptation, featuring mechanisms to redirect command and control communications through Telegram groups.
• The group conducts extensive discovery and data collection, harvesting credentials via keyloggers and browser theft while exfiltrating audio, screenshots, and sensitive files.
• Picus Platform helps organizations defend against Prince of Persia by allowing users to simulate the attacks of the group and validate their security posture.

References

[1] T. Bar, L. Efraim, and S. Conant, “Prince of Persia – Game Over,” Unit 42. Accessed: Jan. 12, 2026. [Online]. Available: https://unit42.paloaltonetworks.com/unit42-prince-of-persia-game-over/

[2] The Hacker News, “Iranian Infy APT Resurfaces with New Malware Activity After Years of Silence,” The Hacker News. Accessed: Jan. 12, 2026. [Online]. Available: https://thehackernews.com/2025/12/iranian-infy-apt-resurfaces-with-new.html

[3] T. Bar and S. Conant, “Prince of Persia: Infy Malware Active In Decade of Targeted Attacks,” Unit 42. Accessed: Jan. 12, 2026. [Online]. Available: https://unit42.paloaltonetworks.com/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/

[4] C. Guarnieri and C. Anderson, “Iran and the soft war for internet dominance.” Accessed: Jan. 12, 2026. [Online]. Available: https://blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf

[5] T. Bar and S. Conant, “Prince of Persia – Ride the Lightning: Infy returns as ‘Foudre,’” Unit 42. Accessed: Jan. 12, 2026. [Online]. Available: https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/

[6] “After Lightning Comes Thunder,” Check Point Research. Accessed: Jan. 12, 2026. [Online]. Available: https://research.checkpoint.com/2021/after-lightning-comes-thunder/