According to Dark Reading, researchers at SafeBreach have revealed that Iran’s oldest state-level threat group, known as “Prince of Persia” or “Infy,” is not dormant but has been actively spying for years. The group, whose activity dates back to December 2004, was last reported on in 2021 and went silent in 2022, leading many to believe it was out of circulation. The new report shows it has been targeting Iranian citizens and individuals in Iraq, Turkey, India, Europe, and Canada using upgraded versions of its known malware. Researcher Tomer Bar states the group’s infrastructure has been fully operational for nearly 20 years, making it one of the longest-known persistent threats. The group uses remarkably stealthy techniques, including a command-and-control (C2) method involving RSA signature verification that Bar says he’s never seen in over 20 years of experience.
Stealth is the name of the game
Here’s the thing about Prince of Persia: they learned from getting burned. Back in 2016, Palo Alto Networks’ Unit 42 basically took over their whole operation by sinkholing their servers. That should have been game over. But then, in a wild move, the state-owned Telecommunication Company of Iran stepped in, blocked traffic to those sinkholes, and handed control back to the hackers. That’s a level of state bailout you don’t see every day. So, what did they do with that second chance? They went deep, deep underground.
Their two main tools, “Foudre” (lightning) and “Tonnerre” (thunder), aren’t radically new. But the way they protect their communications is. Take Tonnerre’s use of the Telegram API. Lots of hackers use Telegram for C2, right? But they usually embed the API key right in the malware code. Prince of Persia doesn’t. It pulls the key from its C2 server only for specific, high-value victims. That means if researchers find the malware on some low-priority target, there’s no key to find and use to track the whole operation. It’s compartmentalized espionage, and it’s brilliant.
The uncrackable C2
But Foudre’s method is even more impressive, and frankly, a bit intimidating. It uses a Domain Generation Algorithm (DGA) to create 100 potential C2 server domains each week. That’s not super rare. The magic is in the RSA signature verification. The malware has a public key baked in. It tries to connect to a domain, downloads a signature file, and checks if its public key can decrypt it. If it can’t—meaning the domain isn’t legitimately controlled by the attackers—it moves on to the next one on the list.
Think about what this means. Even if a genius researcher like Tomer Bar reverse-engineers the DGA and knows *exactly* which domains the malware will call out to next week, he can’t hijack them. The malware just won’t trust his fake server without that private key, which is sitting safely in Iran. Bar says this technique is common in legitimate web domains, but he’s never seen it in malware—not even from Western nation-states. That’s a serious level of operational security for a group everyone thought was retired.
cybersecurity”>What this means for cybersecurity
So why does this matter? It shows a maturation in state-sponsored threats that we need to pay attention to. While groups like MuddyWater are noisy and get caught constantly, Prince of Persia represents the quiet, persistent, and deeply technical arm of Iranian cyber-espionage. They’re not going for disruptive attacks that make headlines; they’re in the long-game business of intelligence gathering, likely on dissidents and activists.
Their longevity—nearly two decades—is a warning. It proves that with enough state support and clever engineering, a threat group can effectively become a permanent fixture in the digital landscape. Detection becomes a nightmare because their tools leave almost no trace for automated systems. Antivirus engines on VirusTotal don’t even flag their latest Excel-based dropper. This forces defenders to rely on behavioral analysis and network traffic scrutiny, which is far harder to scale. For organizations monitoring critical infrastructure or dealing with sensitive geopolitical issues, understanding that these old threats aren’t gone, they’re just evolved, is crucial. It’s a reminder that in cybersecurity, silence isn’t safety—it’s often just a smarter adversary at work.
The big picture
Look, the resurgence of Prince of Persia reshapes the Iranian APT landscape. It’s not a two-horse race between OilRig and MuddyWater anymore. We now have a confirmed third, highly sophisticated player that operates with a different philosophy: stealth over spectacle. This creates a “good cop, bad cop” dynamic for Iranian cyber operations, with the noisy groups drawing attention and resources while the quiet one continues its work unimpeded.
For potential targets, especially diaspora communities and activists, the advice remains frustratingly the same but critically important: assume you are a target. Be hyper-vigilant about phishing, especially documents arriving via email. And understand that the tools being used are professional-grade. The technical deep dive by SafeBreach, which you can see summarized in this video analysis, shows these aren’t script kiddies. This is a sustained, well-funded intelligence operation with the patience to wait years between major reporting cycles. Basically, they’re playing a different game, and we all need to adjust our defenses accordingly.
