Iran's oldest known state-aligned hacking crew — tracked as "Prince of Persia" or "Infy" — never actually disappeared. After roughly three years of public silence, SafeBreach researcher Tomer Bar reports that the group has quietly continued spying on Iranian citizens and targets in Iraq, Turkey, India, Europe, and Canada, using upgraded versions of its long-running Foudre and Tonnerre malware. The standout finding is the group's unusually disciplined command-and-control design, including RSA signature verification and keyless Telegram-based control that make takedowns and analysis extremely difficult.

A 20-year-old APT hiding in plain sight

Prince of Persia is not just the oldest documented Iranian advanced persistent threat — it is one of the oldest APTs on record anywhere, in the same tier as Turla and APT1. When it was first written up in security literature about a decade ago, investigators traced its operations as far back as December 2004.

Its obscurity is what makes it notable. While noisier Iranian groups such as OilRig and MuddyWater dominated headlines, Prince of Persia went dark. Dark Reading described it as "out of circulation" back in 2018, the most recent significant public reporting came in 2021, and researchers had heard nothing from the group since 2022.

According to SafeBreach's new analysis, that apparent dormancy was an illusion. Bar says the group has been operating continuously, focusing largely on Iranian dissidents and citizens while also reaching individuals abroad. "It is very unique to have fully operational cyberattack infrastructure working for nearly 20 years — it's probably the longest publicly known threat actor who has operated with the same arsenal," Bar said, crediting the group's persistence, operational security, and cryptographic C2 techniques he says he had never encountered in more than two decades in the field.

Two tools: Foudre and Tonnerre

The group has long relied on two custom implants: Foudre and Tonnerre — French for "lightning" and "thunder."

Foudre is a lightweight first-stage payload that ships basic system information back to the attackers' infrastructure. In the new campaign it arrives as an executable embedded inside a Microsoft Excel file, and Bar notes the sample produced zero detections across antivirus engines on VirusTotal. Its role appears to be triage: deciding whether a victim is worth deeper attention. In one August 2022 example, after Foudre infections the operators singled out certain victims for continued espionage and pushed a self-destruct command to the rest.

Tonnerre is the heavier second-stage tool used for the more involved surveillance work.

How the C2 channels are protected

What distinguishes both implants is the care taken to shield their command-and-control communications.

The updated Tonnerre can use the Telegram API to issue commands and pull stolen data through a private Telegram group. Using Telegram for C2 is common — attackers typically hardcode a Telegram API key inside their backdoor. Prince of Persia's twist is that Tonnerre contains no embedded key, so there's no artifact for defenders to recover. Instead, Bar found that the malware "pulls the key from the [Tonnerre] C2 only for specific victims, which is significantly more stealthy. It's not [utilized against] all victims in an effort to keep the malware activity and the Telegram group hidden."

Foudre goes further, guarding its infrastructure with RSA signature verification layered on top of a domain generation algorithm (DGA). As Bar describes it: the malware embeds a public key and generates 100 candidate C2 domain names each week via the DGA. It contacts the first domain and downloads a signature file that the operator has signed with a private key. Foudre then uses RSA verification to confirm the public key validates that signature. If verification fails, the malware refuses to trust that server and moves on to the next domain in the list.

The practical effect is potent. Even a researcher who reverse-engineers the DGA — as Bar did by spotting patterns in its pseudo-random output — cannot hijack the campaign by pre-registering the predicted domains. "It won't help, since the malware won't trust this C2 server, and no takedown or victim analysis can be made. This is only possible if you have the private key, which is saved only in Iran. In this way, no one is able to influence the campaign," Bar said. He added that exfiltrated files are likewise locked to the correct RSA private key, which has prevented him from decoding the data he has collected.

Bar called this use of RSA verification highly unusual for malware: "something that is common in [non-malicious] domains, but I have never seen it used by a malware — even in campaigns that were attributed to Western nation-state actors." Other experienced researchers he consulted said the same.

Why the paranoia — a takedown that got reversed

The group's obsession with resilient C2 makes more sense against its history. Palo Alto Networks' Unit 42 first exposed Prince of Persia in 2016 and followed up by sinkholing its servers, cutting the operators off from their victims and exposing the inner workings of the operation.

Then came an unusual rescue: Iran's state-owned Telecommunication Company of Iran intervened, blocking traffic to Unit 42's sinkholes and redirecting it back to the attackers. "The threat actor learned its lesson well from the 2016 campaign takedown," Bar said. "And it came back with a very secure architecture revealed in 2017 that has been working without any takedown since then."

Technical background: DGAs and cryptographically authenticated C2

For readers less familiar with the techniques above, here is a general explanation of the two mechanisms — using generic illustrations rather than any specifics of this campaign.

A domain generation algorithm (DGA) is a routine, seeded by something both malware and operator know (often the current date), that deterministically produces a rotating list of candidate domain names. Defenders who don't know the seed can't easily predict or pre-block the domains; the attacker registers only the ones they intend to use. A trivial, illustrative example:


import hashlib, datetime

def generate_domains(seed_date, count=100, tld=".com"):
    domains = []
    for i in range(count):
        h = hashlib.md5(f"{seed_date}-{i}".encode()).hexdigest()
        domains.append(h[:16] + tld)
    return domains

# Weekly seed, e.g. ISO year-week
week = datetime.date.today().strftime("%Y-%W")
for d in generate_domains(week):
    print(d)

The RSA-signed C2 handshake solves a weakness in plain DGA schemes: if a researcher predicts the domains, they can register one and impersonate the server (a sinkhole). Requiring the server to present a payload signed by the operator's private key defeats that, because only the genuine operator holds the key. Conceptually, the client verifies a downloaded signature before trusting a server:


from cryptography.hazmat.primitives.asymmetric import padding
from cryptography.hazmat.primitives import hashes

# public_key is embedded in the malware; the private key stays with the operator
def server_is_trusted(public_key, message: bytes, signature: bytes) -> bool:
    try:
        public_key.verify(
            signature, message,
            padding.PKCS1v15(),
            hashes.SHA256(),
        )
        return True
    except Exception:
        return False

Because a sinkhole operator cannot produce a valid signature, the malware simply skips the impostor and tries the next generated domain — exactly the behavior SafeBreach documented in Foudre.

Detection and mitigation

The reporting available here does not publish a formal indicator list, but the described tradecraft points to several defensive angles that apply to this class of threat generally:

  • Treat Excel files that drop or contain embedded executables as high-risk, especially when the payload is undetected by antivirus — reputation and behavior, not signatures, are the better signal.
  • Monitor for algorithmically generated domain lookups (high-entropy, short-lived domains queried in bursts), a hallmark of DGA-based C2.
  • Watch for programmatic access to the Telegram Bot API (api.telegram.org) from endpoints and servers that have no business talking to it.
  • Because both C2 trust and exfiltrated data hinge on attacker-held private keys, focus on catching the intrusion early — initial access and first-stage beaconing — rather than expecting to decrypt captured traffic or files after the fact.

The takeaway from Bar's research is that Prince of Persia's two-decade survival is less about flashy zero-days than about patient, cryptographically hardened infrastructure engineered specifically to survive the kind of takedown that nearly ended it in 2016.