SOC Prime Bias: Critical

16 Jan 2026 16:13
newspaper icon picussecurity.com

Prince of Persia APT Analysis: Infy, Foudre, and Tonnerre Malware

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
Prince of Persia APT Analysis: Infy, Foudre, and Tonnerre Malware
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

Prince of Persia (also tracked as APT-C-07) is a long-running Iran-aligned cyber-espionage actor assessed to be active since 2007. The group has cycled through multiple proprietary malware families—Infy, Foudre, Tonnerre, and MaxPinner—to surveil media organizations, political entities, and civil-society targets. Operations commonly blend spear-phishing with opportunistic drive-by infection paths and rely on bespoke command-and-control methods, including Telegram bot–based channels, to sustain access and move data off compromised systems.

Investigation

Unit 42 and other research teams traced the actor’s tooling progression from Infy infrastructure observed in 2016 to the return of Foudre activity in 2017 and a 2025 iteration of Tonnerre that uses Telegram for command-and-control. Technical reporting highlights delivery through Visual Basic macro droppers, persistence via Windows service installation, and the use of domain-generation logic to support resilient infrastructure. Analysts also documented native Windows API–level functionality used for credential access and surveillance behaviors such as keylogging, alongside execution patterns that indicate ongoing refinement of post-compromise tradecraft.

Mitigation

Apply strict controls for Office macros and enforce email attachment sanitization to reduce initial execution opportunities. Implement network controls to restrict or closely monitor Telegram traffic in environments where it is not required for business operations. On endpoints, alert on suspicious service creation, track rundll32 usage consistent with DLL execution chains, and block known malicious filenames and registry-based persistence patterns. Maintain updated detection content for dynamically changing domain patterns associated with DGA-like behavior and routinely validate controls against current telemetry.

Response

If indicators are detected, isolate the affected system, capture volatile artifacts, and hunt for the specific service names and registry entries used for persistence. Expand triage to scheduled task creation, anomalous DLL load activity, and any evidence of Telegram-based C2 communications. Remove malicious services and staged files using vetted remediation playbooks, then rotate potentially exposed credentials and monitor closely for re-entry attempts or re-infection across adjacent hosts.

"graph TB %% Class definitions classDef action fill:#99ccff classDef malware fill:#ffcc99 classDef tool fill:#cccccc classDef operator fill:#ff9900 %% Nodes for each step step1["<b>Action</b> – <b>T1566.001 Spearphishing Attachment</b><br/>Adversary sends targeted email with a malicious Office document containing macros."] class step1 action step2["<b>Action</b> – <b>T1059.005 Visual Basic</b><br/>Macro executes VBA code that extracts and runs the Infy/Foudre payload."] class step2 action malware_inf["<b>Malware</b> – <b>Name</b>: Infy/Foudre<br/><b>Description</b>: Payload delivered via Office macro."] class malware_inf malware step3["<b>Action</b> – <b>T1204.001 Malicious Link</b><br/>Victim clicks a link or opens the attachment, triggering macro execution."] class step3 action step4["<b>Action</b> – <b>T1574.010 Hijack Execution Flow Services File Permissions Weakness</b><br/>Malware creates a Windows service with modified permissions for persistence."] class step4 action step5["<b>Action</b> – <b>T1027 Obfuscated Files or Information</b><br/>Payload is packed in a passwordu2011protected selfu2011extracting archive using custom string encoding."] class step5 action step6["<b>Action</b> – <b>T1036 Masquerading</b><br/>Malicious files are named to resemble legitimate software such as u201cCyberlinku201d or u201cSnailDriveru201d."] class step6 action step7["<b>Action</b> – <b>T1056.001 Input Capture Keylogging</b><br/>Keylogging performed via Windows API hooks to capture user credentials."] class step7 action step8["<b>Action</b> – <b>T1555.003 Credentials from Password Stores Web Browsers</b><br/>Steals passwords, cookies and browsing history from Chrome, Edge, Firefox and other browsers."] class step8 action step9["<b>Action</b> – <b>T1012 Query Registry</b><br/>Reads HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid to obtain system identifier."] class step9 action step10["<b>Action</b> – <b>T1518 Software Discovery</b> and <b>T1518.001 Security Software Discovery</b><br/>Enumerates installed applications and checks for presence of antivirus product directories."] class step10 action step11["<b>Action</b> – <b>T1010 Application Window Discovery</b><br/>Enumerates open windows to detect security tools or analysis consoles."] class step11 action step12["<b>Action</b> – <b>T1005 Data from Local System</b><br/>Collects documents, images and archives from user folders."] class step12 action op_collect_methods(("AND")) class op_collect_methods operator step13["<b>Action</b> – <b>T1113 Screen Capture</b>, <b>T1123 Audio Capture</b>, <b>T1125 Video Capture</b>, <b>T1115 Clipboard Data</b><br/>Records screen, microphone, webcam and clipboard contents."] class step13 action step14["<b>Action</b> – <b>T1074.001 Local Data Staging</b><br/>Compresses collected files into ZIP or RAR archives in temporary locations."] class step14 action step15["<b>Action</b> – <b>T1102.002 Web Service Bidirectional Communication</b><br/>Uses a Telegram bot or group for command and control and exfiltration."] class step15 action tool_telegram["<b>Tool</b> – <b>Name</b>: Telegram Bot<br/><b>Description</b>: Enables bidirectional C2 communication over Telegram."] class tool_telegram tool step16["<b>Action</b> – <b>T1568.002 Dynamic Resolution Domain Generation Algorithms</b><br/>Generates C2 domains based on timeu2011seeded values."] class step16 action step17["<b>Action</b> – <b>T1497 Virtualization Sandbox Evasion</b><br/>Detects analysis tools such as Deep Freeze and terminates execution if detected."] class step17 action step18["<b>Action</b> – <b>T1564 Hide Artifacts</b><br/>Terminates and renames malicious processes and files to evade detection."] class step18 action %% Connections showing the attack flow step1 –>|leads_to| step2 step2 –>|executes| malware_inf malware_inf –>|triggers| step3 step3 –>|leads_to| step4 step4 –>|establishes| step5 step5 –>|enables| step6 step6 –>|enables| step7 step7 –>|provides| step8 step8 –>|provides| step9 step9 –>|provides| step10 step10 –>|provides| step11 step11 –>|provides| step12 step12 –>|feeds| op_collect_methods op_collect_methods –>|combines| step13 step13 –>|feeds| step14 step14 –>|prepares| step15 step15 –>|uses| tool_telegram tool_telegram –>|supports| step16 step16 –>|supports| step17 step17 –>|supports| step18 "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:
    The simulated adversary mimics Infy malware behavior by creating three dummy executables whose filenames correspond to the API calls the rule watches. Using Copy-Item, we duplicate notepad.exe (a benign, already‑present binary) to the temporary directory and rename it to match each API call. The attacker then executes each dummy binary, producing Sysmon process‑creation events with Image values ending in GetFileAttributesA.exe, GetMessageA.exe, and DispatchMessageA.exe. Because the rule’s condition is selection1 or selection2 on the Image field, each launch satisfies the rule and generates an alert.

  • Regression Test Script:

    # -------------------------------------------------
# Simulation Script – Infy API Call Detection Test
# -------------------------------------------------
$tempDir = "$env:TEMPInfySim"
New-Item -ItemType Directory -Path $tempDir -Force | Out-Null

# Helper: copy notepad.exe to a new name
function Copy-And-Run {
    param (
        [string]$newName
    )
    $src = "$env:SystemRootSystem32notepad.exe"
    $dst = Join-Path $tempDir $newName
    Copy-Item -Path $src -Destination $dst -Force
    Write-Host "Created $dst"
    Start-Process -FilePath $dst -WindowStyle Hidden
}

# Create and execute dummy binaries matching the API names
Copy-And-Run -newName "GetFileAttributesA.exe"
Copy-And-Run -newName "GetMessageA.exe"
Copy-And-Run -newName "DispatchMessageA.exe"

Write-Host "Simulation complete. Check SIEM for alerts."

  • Cleanup Commands:

    # -------------------------------------------------
# Cleanup Script – Remove simulated binaries
# -------------------------------------------------
$tempDir = "$env:TEMPInfySim"

# Stop any remaining dummy processes
Get-Process -Name "GetFileAttributesA","GetMessageA","DispatchMessageA" -ErrorAction SilentlyContinue |
    Stop-Process -Force

# Remove the temporary directory and its contents
Remove-Item -Path $tempDir -Recurse -Force -ErrorAction SilentlyContinue

Write-Host "Cleanup complete."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free