Infy Threat Group Resumes Cyber Espionage with Stealthy C2 Infrastructure Upgrade

Iranian APT Group Infy Resumes Operations with Refined Evasion Tactics

The Iranian advanced persistent threat (APT) group Infy (also tracked as Prince of Persia) has reactivated its cyber espionage operations following the conclusion of Iran’s nationwide internet blackout. The threat actor has deployed new command-and-control (C2) infrastructure while simultaneously refining its tactics to evade detection, according to security researchers.

Key Developments and Timeline

• Cessation of Activity: Infy halted maintenance of its existing C2 servers on January 8, 2026, marking its first operational pause since tracking began.
• Internet Blackout: The group’s inactivity coincided with Iran’s nationwide internet shutdown, imposed in early February 2026 amid domestic unrest.
• Resumption of Operations: With internet services restored, Infy has reestablished its C2 infrastructure, incorporating new evasion techniques to obscure its activities.

Technical Analysis of Updated Tactics

Infy has historically targeted government entities, dissidents, and regional adversaries using spear-phishing campaigns and custom malware. While specific details of the new C2 infrastructure remain undisclosed, security analysts note the following likely enhancements:

• Domain Generation Algorithms (DGAs): Potential use of DGAs to dynamically generate C2 domains, complicating takedown efforts.
• Traffic Obfuscation: Possible implementation of encrypted tunneling (e.g., DNS-over-HTTPS or VPN-based communication) to mask malicious traffic.
• Living-off-the-Land Binaries (LOLBins): Increased reliance on legitimate system tools to reduce forensic artifacts.
• Fast-Flux Hosting: Rapid rotation of IP addresses associated with C2 domains to evade blacklisting.

Impact and Attribution

Infy’s operations align with Iranian state-sponsored cyber espionage objectives, focusing on intelligence collection and surveillance. The group’s resumption of activity underscores Tehran’s continued investment in cyber capabilities despite geopolitical disruptions.

• Targets: Likely to include Middle Eastern governments, activists, and foreign diplomatic missions.
• Motivation: Primarily strategic intelligence gathering, with secondary objectives potentially tied to influence operations.

Recommendations for Defenders

Security teams should prioritize the following mitigations to detect and disrupt Infy’s updated tactics:

1. Network Monitoring

   • Deploy behavioral analytics to identify anomalous C2 communication patterns.
   • Monitor for unusual outbound traffic, particularly to newly registered domains or known malicious IP ranges.

2. Endpoint Protection

   • Implement application whitelisting to block unauthorized execution of LOLBins.
   • Enable advanced threat detection (e.g., EDR/XDR solutions) to flag suspicious process injections or lateral movement.

3. Threat Intelligence

   • Subscribe to APT-specific threat feeds to stay updated on Infy’s evolving infrastructure (e.g., C2 domains, malware hashes).
   • Correlate indicators of compromise (IOCs) with Iran-linked threat groups to contextualize alerts.

4. User Awareness

   • Conduct targeted phishing simulations to train users on recognizing spear-phishing lures, a common Infy infection vector.

5. Incident Response

   • Develop playbooks for Iranian APT activity, including containment strategies for Infy’s malware families (e.g., Foudre, Tonnerre).

Conclusion

Infy’s return to operations highlights the resilience of state-sponsored threat actors and the challenges of tracking groups that adapt to geopolitical disruptions. Organizations in high-risk sectors—particularly government, defense, and human rights—should assume Infy remains an active threat and adjust defenses accordingly.

For further IOCs and technical analysis, refer to reports from CrowdStrike, Mandiant, or the original Hacker News disclosure (source).