Iran’s Shadow Cyber Army: Infy APT Evolves Stealth Tactics Amid Regime Internet Blackout

In a chilling demonstration of digital statecraft, Iran’s most elusive cyber espionage collective—known in intelligence circles as Infy (or the “Prince of Persia”)—has dramatically evolved its operational playbook, leveraging both cutting-edge malware and geopolitical upheaval to advance its intelligence-gathering campaigns.

The Great Disconnect: When Iran Went Dark

On January 8, 2026, something unprecedented occurred in the shadowy world of Iranian cyber operations. The Infy APT, active since 2004, suddenly ceased all command-and-control server activity—marking the first operational pause in nearly two decades of continuous surveillance operations.

This wasn’t a technical failure or internal reorganization. It coincided precisely with Iran’s nationwide internet shutdown, imposed by the regime in response to massive anti-government protests that swept the country in early January.

“The timing is unmistakable,” reveals Tomer Bar, Vice President of Security Research at SafeBreach. “Even government-affiliated cyber units apparently lacked the capability or authorization to maintain malicious infrastructure during the blackout. This strongly suggests Infy operates with direct state backing.”

Resurgence: New Infrastructure, New Threats

As Iranian authorities began relaxing internet restrictions on January 25, Infy demonstrated remarkable operational agility. Within 24 hours, the group had deployed entirely new command-and-control infrastructure—a feat requiring sophisticated planning and resources.

This rapid reconstitution speaks volumes about the group’s capabilities. Unlike conventional cybercriminals who might take weeks to rebuild infrastructure, Infy’s near-instantaneous recovery suggests state-level logistical support and pre-positioned resources.

The Tornado Awakens: Next-Generation Malware

At the heart of Infy’s renewed offensive lies Tornado, the latest iteration of their Tonnerre malware family. Version 51 represents a quantum leap in cyber espionage sophistication, employing dual command-and-control mechanisms that blend traditional HTTP communications with Telegram’s encrypted messaging platform.

The malware’s architecture is particularly ingenious. It generates command-and-control domain names through two distinct methods: a novel Domain Generation Algorithm (DGA) and blockchain-based de-obfuscation techniques. This hybrid approach provides operational flexibility while complicating defensive countermeasures.

Weaponizing Vulnerabilities: The WinRAR Exploit

Infy has weaponized a critical vulnerability in WinRAR—either CVE-2025-8088 or CVE-2025-6218—to deliver Tornado payloads. The exploit chain is surgically precise: specially crafted RAR archives, uploaded from Germany and India in mid-December 2025, contain self-extracting executables that deploy the malware while evading detection.

The infection sequence reveals military-grade operational security. Before installation, the malware checks for Avast antivirus presence, aborting if detected. Upon successful deployment, it establishes persistence through scheduled tasks and begins harvesting system information.

Telegram as Command Central

Perhaps most disturbingly, Infy has embedded Telegram deeply into its operational architecture. The malware communicates with private Telegram groups featuring cryptic handles like “@ttestro1bot” and users such as “@ehsan8999100” and “@Ehsan66442.”

These aren’t random handles. The group names include Persian phrases like سرافراز (sarafraz, meaning “proudly”), suggesting cultural affinity and operational comfort with Iranian linguistic contexts.

SafeBreach researchers managed to infiltrate these private channels, uncovering a treasure trove of operational data. Between February 16, 2025, and February 3, 2026, they accessed 118 files and 14 encoded command links transmitted to infected machines.

The Infostealer Connection: ZZ Stealer Emerges

The investigation revealed a sophisticated multi-stage attack chain. Infy appears to be deploying ZZ Stealer, a custom variant of the open-source StormKitty infostealer, as a first-stage payload.

ZZ Stealer exhibits classic espionage functionality: environmental data collection, screenshot capture, and desktop file exfiltration. Upon receiving the command “8==3” from command servers, it downloads and executes secondary payloads—suggesting a modular, adaptable attack framework.

Supply Chain Warfare: The PyPI Connection

The scope of Infy’s operations extends beyond traditional malware delivery. Researchers discovered a “very strong correlation” between ZZ Stealer campaigns and malicious packages uploaded to the Python Package Index (PyPI) repository.

One package, named “testfiwldsd21233s,” was specifically designed to drop ZZ Stealer variants and exfiltrate data through Telegram’s bot API. This represents a calculated assault on software supply chains—targeting developers and organizations through compromised development tools.

Potential Alliances: The Charming Kitten Connection

While Infy has historically operated independently, researchers identified “weaker potential correlations” with Charming Kitten (also known as Educated Manticore), another prominent Iranian APT group.

Shared characteristics include the use of ZIP and Windows Shortcut (LNK) files, along with PowerShell loader techniques. While not conclusive evidence of collaboration, these similarities suggest possible knowledge sharing or resource pooling within Iran’s cyber ecosystem.

The Human Cost: Who’s Being Targeted?

The geographical distribution of malicious RAR files—originating from Germany and India—provides crucial clues about Infy’s targeting priorities. These aren’t random attacks but carefully selected operations against specific geopolitical adversaries.

Germany’s inclusion suggests targeting of European diplomatic, industrial, or research institutions. India’s presence indicates focus on South Asian strategic interests, possibly related to regional competition or intelligence gathering on neighboring states.

State Sponsorship: The Smoking Gun

The operational patterns leave little doubt about Infy’s backing. The group’s ability to maintain continuous operations since 2004, its sophisticated infrastructure management, and its apparent coordination with Iranian state internet policies all point to direct government support.

This isn’t opportunistic cybercrime but strategic intelligence operations aligned with Tehran’s geopolitical objectives. Infy represents a persistent, patient, and well-resourced cyber capability that has operated largely undetected for over two decades.

The Evolution of Cyber Espionage

Infy’s evolution reflects broader trends in state-sponsored cyber operations. The group has moved from simple malware deployment to sophisticated, multi-vector campaigns incorporating supply chain attacks, social engineering, and advanced persistence mechanisms.

Their use of Telegram represents a tactical shift—leveraging civilian communication platforms for military-grade operations. This blending of commercial and military technologies creates new challenges for defenders and complicates attribution efforts.

Defensive Implications: The Road Ahead

For cybersecurity professionals, Infy’s evolution demands urgent attention. The group’s operational security, infrastructure resilience, and technical sophistication make it a formidable adversary.

Key defensive priorities include monitoring for WinRAR exploitation attempts, scrutinizing Telegram-based communications for anomalous patterns, and implementing rigorous supply chain security measures for development environments.

Organizations in Germany, India, and other geopolitical flashpoints should particularly prioritize defenses against Infy’s tactics, given the group’s demonstrated interest in these regions.

Conclusion: The Silent War Continues

As Iran’s digital battlefield evolves, Infy stands as a testament to the enduring nature of state-sponsored cyber operations. Their ability to adapt, innovate, and persist through regime-imposed internet blackouts demonstrates a level of sophistication that transcends conventional cybercrime.

The “Prince of Persia” continues its silent march through cyberspace, gathering intelligence, influencing outcomes, and operating in the shadows where digital warfare meets geopolitical strategy. In this new era of cyber conflict, groups like Infy aren’t just hacking computers—they’re shaping the future of international relations, one compromised system at a time.

Tags: #InfyAPT #IranianHackers #CyberEspionage #PrinceOfPersia #TornadoMalware #TelegramBot #WinRARExploit #ZZStealer #PyPIAttack #StateSponsoredHacking #CyberWarfare #DigitalEspionage #AdvancedPersistentThreat #IranCyber #SafeBreachResearch

Viral Phrases: “Iran’s shadow cyber army strikes back,” “The Prince of Persia returns,” “When hackers become digital spies,” “Telegram turns weapon of cyber war,” “The silent cyber war nobody’s talking about,” “How Iran’s hackers outsmarted the internet blackout,” “The malware that survived the great disconnect,” “Digital espionage in the age of social media,” “The hidden war behind your computer screen,” “Why Iran’s hackers are the world’s most dangerous,” “The cyber operation that lasted 20 years undetected,” “How state-sponsored hackers use your favorite apps against you,” “The supply chain attack hiding in plain sight,” “When cyber warfare meets geopolitical strategy,” “The digital spies who never sleep”

Viral Sentences: “Iran’s most elusive hacking group just proved they’re backed by the regime,” “These hackers didn’t just survive the internet blackout—they thrived,” “The same Telegram you use for chats is now a weapon of cyber war,” “Twenty years of silent surveillance, and nobody noticed,” “Your WinRAR might be the gateway to state-sponsored espionage,” “The Python package you installed could be stealing your secrets,” “Iran’s hackers are playing 4D chess while everyone else plays checkers,” “This isn’t cybercrime—it’s digital statecraft,” “The Prince of Persia isn’t a myth anymore,” “Your computer might be a listening post for Iranian intelligence,” “The future of war isn’t tanks and planes—it’s malware and Telegram bots,” “These hackers have been watching you since before you were born,” “The blackout that revealed more than it hid,” “When cyber warfare becomes invisible,” “The digital spies who never make headlines”

,