Prince of Persia has operated as a persistent cyber-espionage threat since 2007, primarily focusing on surveillance targets ranging from Jundallah-linked news sites to Persian media outlets, including BBC Persian, during the 2013 Iranian presidential elections. Despite a major disruption in 2016 when Palo Alto Networks Unit 42 exposed their activities and neutralized the Infy malware infrastructure [1], the group demonstrated significant resilience by resurfacing with the Foudre malware family. They have since continued to evolve their arsenal, introducing the high-value implant Tonnerre and the Telegram-focused MaxPinner, while recent 2025 updates to Tonnerre utilizing Telegram for command and control highlight their ongoing adaptation and refusal to be deterred by defensive takedowns.
The group employs a sophisticated array of tactics, techniques, and procedures rooted in social engineering and stealthy persistence. They primarily gain initial access through spear-phishing campaigns utilizing malicious attachments with embedded macros or links, as well as drive-by compromises that exploit specific vulnerabilities. Once inside, they use Visual Basic scripting and native APIs to execute payloads, establish persistence by creating Windows services, and evade defense mechanisms through masquerading, self-extracting archives, and dynamic domain generation algorithms. Their operations further involve extensive discovery to harvest credentials via keyloggers and browser theft, alongside the collection of audio, screenshots, and sensitive files which are exfiltrated using web services like Telegram bots.
In this blog post, we will explore the major historical operations of the Prince of Persia, highlight their notable campaigns against political and civil society targets, and examine the group's tactics, techniques, and procedures to understand how they conduct persistent cyber-espionage. In the end, we will show how Picus Platform helps defend against this group.
Simulate APT Attacks with 14-Day Free Trial of Picus Platform
Prince of Persia targeted specific individuals and organizations, utilizing gathered email addresses to facilitate spear-phishing campaigns. For instance, the actor targeted an Israeli industrial organization using a compromised Israeli Gmail account [3].
The threat actor sent emails containing malicious documents to specific victims to initiate the compromise. These emails were tailored to the targets, such as sending a document named "request.docx" to an Israeli organization [3].
The threat actor compromised news websites to exploit visitors. Specifically, they compromised two websites related to Jundallah and exploited ActiveX vulnerabilities to attack visitors [4].
Prince of Persia frequently initiated attacks via spear-phishing emails containing malicious attachments. These attachments included Microsoft PowerPoint files (e.g., "thanks.pps", "syria.pps"), Word documents (e.g., "request.docx", "hello.docx"), and Excel files containing malicious macros. One campaign involved a ZIP file named شهدای شاخص .zip (Notable Martyrs.zip) containing an Excel file with an embedded executable [3].
In some campaigns, the emails social engineered the recipient into clicking a link that appeared to be a video but actually started the initial access process.
Malicious Excel documents contained macros to drop and execute payloads.
|
stpath = Replace(Environ("temp"), "Local\Temp", "Roaming")
|
This VBA macro serves as a stealthy "dropper" designed to extract a hidden malicious file from an Excel spreadsheet and plant it on the victim's computer. The script copies a malicious executable embedded directly in the spreadsheet to the system clipboard, pauses for three seconds to allow the data to buffer, and uses a Windows Shell command to programmatically paste the file into the targeted folder.
The Infy malware made direct calls to Windows APIs, such as GetFileAttributesA to check for antivirus directories, GetMessageA, TranslateMessage, and DispatchMessageA for keylogging, and CreateIoCompletionPort for file monitoring.
In a Prince of Persia attack, the group relied on users opening malicious attachments. For instance, in some PowerPoint files, users were tricked into clicking a 'Run' button on a slide mimicking a paused movie to execute an embedded self-extracting executable (SFX).
The Infy malware installed itself as a service. It created and started services, sometimes using the /s parameter on Windows Vista and later versions. It also cleaned up previous services like "inverse Ser32", "grep", and "hcrtf" to delete any prior Infy installations.
The group used Self-Extracting Archives (SFX) to conceal payloads. These archives were often password-protected and contained the malware components.
The group also used custom encoding for strings.
|
# String decryption logic found in the malware |
The malware disguised its files using names of legitimate software or system files. Observed filenames included "Cyberlink" with a description of "CLMediaLibrary Dynamic Link Library", "Borland hcrtf", "Macromedia Swsoc", and "SnailDriver" [3] [5].
The malware decoded strings and payloads at runtime. It verified C2 servers by downloading a signature file, decrypting it with an embedded public key, and comparing it to a local validation file [5].
In a Prince of Persia APT campaign, threat actors utilize a Self-Extracting Archive (SFX) file to initiate a cleanup routine that terminates the running Foudre process and immediately renames the underlying executable, thereby disabling its persistence mechanism to prevent the malware from reloading after an Operating System restart.
|
cmd /c ren <Old Foudre File Name> <New File Name>
|
The malware used rundll32.exe to execute its malicious DLLs.
|
rundll32.exe <DLL_FILENAME>,<FUNCTION_NAME> |
Tonnerre malware checked for the presence of "Deep Freeze" software (process dfserv.exe). If found, the malware would exit immediately to avoid analysis or interference [6].
Prince of Persia initiated a keylogger that captured user keystrokes. This was often managed via a hidden window that processed GetMessageA and DispatchMessageA calls [3].
The Infy malware stole browser passwords, forms, cookies, and history from major browsers, including Microsoft Edge, Internet Explorer, Google Chrome, Opera, and Firefox.
The Infy malware queried the registry to obtain the machine GUID.
|
hklm\SOFTWARE\Microsoft\Cryptography\machineguid |
Prince of Persia collected environment data, including computer name, user name, and OS version (identified by 32/64 bit).
To determine if defensive measures are present on the host system, the Infy malware initiates a scan for security applications after execution. It cycles through a predefined list of paths associated with popular antivirus vendors and employs the Windows API function GetFileAttributesA. By validating if these paths exist and possess the FILE_ATTRIBUTE_DIRECTORY flag, the malware confirms the presence of AV software [3].
The malware collected files from specific directories, including user directories (Downloads, Pictures, Contacts) and the "Recent Items" folder. It also targeted extensions like .doc, .xls, .jpg, .jpe, .txt, .htm, .pgp, .pdf, .zip, and .rar [3].
Collected files were compressed into ZIP or RAR archives and stored in temporary folders before exfiltration [3].
|
Location: \Program Files\Yahoo!\Messenger\Profiles\yfsbg\yfsbg\3dksf.tmp |
Some malware developed by the group captured screenshots of the victim's desktop, saving them as .psf or .tmp files before uploading.
The Foudre malware captured clipboard data on a ten-second cycle.
Prince of Persia recorded sound and compressed it using the lame.exe command line tool.
|
lame.exe -b 8mm <INPUT FILE> <OUTPUT FILE> |
Recent Tonnerre variants utilized a Telegram bot to send commands and receive exfiltrated data. The malware communicated with a Telegram group named "سرافراز" (Sarafraz) [2].
Malwares developed by Prince of Persia use DGAs to evade detection and takedowns by dynamically generating Command and Control (C2) domains based on time-based seeds (year, month, week) and unique prefixes, often employing RSA signatures to verify the server's authenticity before establishing a connection [2] [5].
|
# NRV1 Algorithm
Then shift characters based on their value and position (index): Digits (0-9): NewChar = OldChar + 0x39 + Index Letters (a-f): NewChar = OldChar + 0x8 + Index |
We also strongly suggest simulating Prince of Persia Group Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other threat groups within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for the Prince of Persia Group:
|
Threat ID |
Threat Name |
Attack Module |
|
78521 |
Infy Threat Group Campaign Malware Download Threat |
Network Infiltration |
|
71588 |
Infy Threat Group Campaign Malware Email Threat |
E-mail Infiltration |
|
63702 |
Foudre Trojan Email Threat |
E-mail Infiltration |
|
78280 |
Foudre Trojan Download Threat |
Network Infiltration |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
Prince of Persia is also known as: Infy, Foudre, Operation Mermaid, APT-C-07.
References
[1] T. Bar, L. Efraim, and S. Conant, “Prince of Persia – Game Over,” Unit 42. Accessed: Jan. 12, 2026. [Online]. Available: https://unit42.paloaltonetworks.com/unit42-prince-of-persia-game-over/
[2] The Hacker News, “Iranian Infy APT Resurfaces with New Malware Activity After Years of Silence,” The Hacker News. Accessed: Jan. 12, 2026. [Online]. Available: https://thehackernews.com/2025/12/iranian-infy-apt-resurfaces-with-new.html
[3] T. Bar and S. Conant, “Prince of Persia: Infy Malware Active In Decade of Targeted Attacks,” Unit 42. Accessed: Jan. 12, 2026. [Online]. Available: https://unit42.paloaltonetworks.com/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/
[4] C. Guarnieri and C. Anderson, “Iran and the soft war for internet dominance.” Accessed: Jan. 12, 2026. [Online]. Available: https://blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf
[5] T. Bar and S. Conant, “Prince of Persia – Ride the Lightning: Infy returns as ‘Foudre,’” Unit 42. Accessed: Jan. 12, 2026. [Online]. Available: https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/
[6] “After Lightning Comes Thunder,” Check Point Research. Accessed: Jan. 12, 2026. [Online]. Available: https://research.checkpoint.com/2021/after-lightning-comes-thunder/