Lightning Returns: Inside the Shadowy Comeback of Iran’s ‘Prince of Persia’ Hackers

It was supposed to be over. For nearly three years, the infamous Iranian hacking collective known as ‘Prince of Persia’ (or ‘Infy’) seemed to have vanished from the digital battlefield, leaving behind only the echoes of their old campaigns against diplomats and dissidents. But new research reveals the silence was just a smokescreen. The group has reemerged, more sophisticated and ambitious than ever - proving that in the world of cyber espionage, old ghosts rarely stay buried.

From ‘Operation Mermaid’ to Telegram Takeover

First unmasked in 2016 for targeting Danish diplomats, Prince of Persia has always played the long game. Their operations have consistently zeroed in on political adversaries - journalists, activists, and officials - rather than financial gain. The group’s early exploits, including interference during Iran’s 2013 elections and attacks on BBC Persia, signaled a government-aligned mission.

After a crackdown forced them underground, the hackers retooled. They unleashed new malware families: Foudre, a stealthy reconnaissance tool masquerading as innocent files (like “Notable Martyrs.zip”), and Tonnerre, a powerful second-stage implant reserved for high-value targets. Together, these tools form a devastating one-two punch - first identifying victims, then unleashing full-spectrum espionage capabilities.

But the most startling revelation is the group’s embrace of Telegram for command-and-control. Investigators from SafeBreach Labs discovered the hackers operating through a private Telegram channel, managed by the alias @ehsan8999100 and a custom Telegram bot. This shift to encrypted social platforms not only helps them evade detection but also lets them coordinate attacks in real time.

Staying Hidden - and Getting Caught

Prince of Persia’s technical arsenal has grown. They now deploy multiple malware variants simultaneously, using techniques like Domain Generation Algorithms (DGA) to rotate their digital infrastructure and avoid being blacklisted. Other tools, such as Amaq News Finder and MaxPinner, focus on siphoning data from victims’ own Telegram accounts.

Despite their efforts to stay invisible, SafeBreach researchers found a chink in the armor - a predictable pattern in the group’s file naming. By exploiting this, analysts accessed troves of stolen data stretching back to 2021, exposing the group’s ongoing global reach.

The New Normal of Cyber Espionage

The Prince of Persia saga underscores a sobering reality: state-backed hackers adapt, regroup, and return with sharper claws. Their latest campaign is a warning to governments, activists, and anyone who dares dissent - cyber threats don’t retire, they reload. As the digital cold war intensifies, vigilance, not complacency, is the only defense.

WIKICROOK

• Advanced Persistent Threat (APT): An Advanced Persistent Threat (APT) is a prolonged, targeted cyberattack by skilled groups, often state-backed, aiming to steal data or disrupt operations.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
• Malware: Il malware è un software dannoso progettato per infiltrarsi, danneggiare o rubare dati da dispositivi informatici senza il consenso dell’utente.
• Domain Generation Algorithm (DGA): A DGA creates many domains for malware to contact C2 servers, helping attackers evade detection and takedown efforts.
• Reconnaissance: Reconnaissance is the early stage of a cyberattack where attackers gather information about a target to identify weaknesses and plan their approach.