Shadow Resurrection: Iran’s Oldest Cyber Spy Team Returns from the Dead

For years, it was the ghost story of Iranian cyber-espionage: an advanced persistent threat (APT) so old its name had faded from memory, outshone by noisier contemporaries. But now, “Prince of Persia” - also known as “Infy” - is back in the headlines, and its return is a chilling lesson in patience, stealth, and the evolving art of digital repression.

The Silent Operator

While most cyber-espionage groups crave notoriety, Prince of Persia perfected the art of invisibility. First exposed over a decade ago, the group’s activity was traced back to 2004 - making it a contemporary of legendary actors like Turla and APT1. Yet, by 2018, it was widely believed to be defunct, its digital footprint vanishing after 2021. The truth? Prince of Persia simply got better at hiding.

According to new research from SafeBreach, the group has maintained a continuous campaign against Iranian dissidents and global targets in Iraq, Turkey, India, Europe, and Canada. Its toolkit, centered on the “Foudre” and “Tonnerre” malware families, has evolved to evade nearly all detection. These tools are now delivered in benign-looking files - such as Microsoft Excel documents - that slip past antivirus defenses with alarming ease.

Cryptography as a Cloak

What sets Prince of Persia apart isn’t just its longevity, but its technical ingenuity. Foudre, a lightweight reconnaissance tool, and Tonnerre, a robust espionage platform, both shield their communications with next-level cryptography. Foudre, for instance, generates hundreds of potential command-and-control (C2) domains each week, but will only trust servers that can prove possession of a secret private key - rendering traditional takedown tactics useless.

Tonnerre, meanwhile, leverages the Telegram messaging platform for covert C2, but with a twist: it retrieves access keys dynamically, leaving no clues for investigators to follow. Such operational security is rare even among Western state-sponsored actors, according to veteran researchers.

State Support and Survival

This resilience has been aided by more than just technical prowess. In 2016, when Palo Alto Networks’ Unit 42 tried to neutralize Prince of Persia’s infrastructure, Iran’s state-owned telecommunications company intervened - blocking the takedown and rerouting traffic back to the attackers. Since then, the group’s infrastructure has remained untouchable.

As Iran’s digital crackdown intensifies, Prince of Persia’s ghostly persistence is a stark warning: in the shadowy world of cyber-espionage, silence can be the ultimate weapon.

Conclusion

The re-emergence of Prince of Persia shatters any illusions that old threats simply fade away. Instead, they adapt, learn, and - backed by state resources - continue their silent work in the digital shadows, reminding us that in cybersecurity, what you don’t see can hurt you most.

WIKICROOK

• APT (Advanced Persistent Threat): An Advanced Persistent Threat (APT) is a long-term, targeted cyberattack by skilled groups, often state-backed, aiming to steal data or disrupt operations.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
• Malware: Il malware è un software dannoso progettato per infiltrarsi, danneggiare o rubare dati da dispositivi informatici senza il consenso dell’utente.
• Domain Generation Algorithm (DGA): A DGA creates many domains for malware to contact C2 servers, helping attackers evade detection and takedown efforts.
• RSA Signature Verification: RSA signature verification confirms digital message authenticity and integrity using public-key cryptography, ensuring secure and trusted communications.