{
	"id": "83b55dc0-ee91-449d-aca0-800a2e593810",
	"created_at": "2026-04-06T00:14:36.868423Z",
	"updated_at": "2026-04-10T03:36:22.92661Z",
	"deleted_at": null,
	"sha1_hash": "491a495987682ebce1cfb98525b7e4f90eb7b358",
	"title": "Infy, Prince of Persia - Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 64664,
	"plain_text": "Infy, Prince of Persia - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 17:18:58 UTC\r\nHome \u003e List all groups \u003e Infy, Prince of Persia\r\n APT group: Infy, Prince of Persia\r\nNames\r\nInfy (Palo Alto)\r\nPrince of Persia (Palo Alto)\r\nOperation Mermaid (Qihoo 360)\r\nAPT-C-07 (Qihoo 360)\r\nCountry Iran\r\nSponsor State-sponsored\r\nMotivation Information theft and espionage\r\nFirst seen 2007\r\nDescription\r\nSince early 2013, we have observed activity from a unique threat actor group, which\r\nwe began to investigate based on increased activities against human right activists in\r\nthe beginning of 2015. In line5with other research on the campaign, released prior to\r\npublication of this document, we have adopted the name “Infy”, which is based on\r\nlabels used in the infrastructure and its two families of malware agents.\r\nThanks to information we have been able to collect during the course of our\r\nresearch, such as characteristics of the group’s malware and development cycle, our\r\nresearch strongly supports the claim that the Infy group is of Iranian origin and\r\npotentially connected to the Iranian state. Amongst a backdrop of other incidents,\r\nInfy became one of the most frequently observed agents for attempted malware\r\nattacks against Iranian civil society beginning in late 2014, growing in use up to the\r\nFebruary 2016 parliamentary election in Iran. After the conclusion of the\r\nparliamentary election, the rate of attempted intrusions and new compromises\r\nthrough the Infy agent slowed, but did not end. The trends witnessed in reports from\r\nrecipients are reinforced through telemetry provided by design failures in more\r\nrecent versions of the Infy malware.\r\nObserved Sectors: Government and private sectors.\r\nCountries: Azerbaijan, Bahrain, Canada, China, Denmark, France, Germany, India,\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=bd37587a-e905-44dd-8844-0b2dcfb96c8e\r\nPage 1 of 2\n\nIran, Iraq, Israel, Italy, Romania, Netherlands, Russia, Saudi Arabia, Sweden, Syria,\nTurkey, UK, USA.\nTools used Infy, Tonnerre.\nOperations performed\nMay 2015\nIn May 2015, Palo Alto Networks WildFire detected two e-mails\ncarrying malicious documents from a genuine and compromised\nIsraeli Gmail account, sent to an Israeli industrial organization. One e-mail carried a Microsoft PowerPoint file named “thanks.pps”, the\nother a Microsoft Word document named “request.docx”.\nFeb 2017\nIn February 2017, we observed an evolution of the “Infy” malware\nthat we’re calling “Foudre” (“lightning”, in French). The actors\nappear to have learned from our previous takedown and sinkholing of\ntheir Command and Control (C2) infrastructure – Foudre incorporates\nnew anti-takeover techniques in an attempt to avoid their C2 domains\nbeing sinkholed as we did in 2016.\nCounter operations Jun 2016\nPrince of Persia – Game Over\nInformation\nLast change to this card: 19 April 2021\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=bd37587a-e905-44dd-8844-0b2dcfb96c8e\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=bd37587a-e905-44dd-8844-0b2dcfb96c8e\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=bd37587a-e905-44dd-8844-0b2dcfb96c8e"
	],
	"report_names": [
		"showcard.cgi?u=bd37587a-e905-44dd-8844-0b2dcfb96c8e"
	],
	"threat_actors": [
		{
			"id": "f763fd1f-f697-40eb-a082-df6fd3d13cb1",
			"created_at": "2023-01-06T13:46:38.561288Z",
			"updated_at": "2026-04-10T02:00:03.024326Z",
			"deleted_at": null,
			"main_name": "Infy",
			"aliases": [
				"Operation Mermaid",
				"Prince of Persia",
				"Foudre"
			],
			"source_name": "MISPGALAXY:Infy",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "59c9f31b-e032-44b9-bf3b-4f2cb3d17e39",
			"created_at": "2022-10-25T16:07:23.734244Z",
			"updated_at": "2026-04-10T02:00:04.731031Z",
			"deleted_at": null,
			"main_name": "Infy",
			"aliases": [
				"APT-C-07",
				"Infy",
				"Operation Mermaid",
				"Prince of Persia"
			],
			"source_name": "ETDA:Infy",
			"tools": [
				"Foudre",
				"Infy",
				"Tonnerre"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434476,
	"ts_updated_at": 1775792182,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/491a495987682ebce1cfb98525b7e4f90eb7b358.pdf",
		"text": "https://archive.orkl.eu/491a495987682ebce1cfb98525b7e4f90eb7b358.txt",
		"img": "https://archive.orkl.eu/491a495987682ebce1cfb98525b7e4f90eb7b358.jpg"
	}
}