{ "id": "a3131c12-4728-4d9f-8c4b-8aa366e0341f", "created_at": "2026-04-06T01:32:16.281036Z", "updated_at": "2026-04-10T03:36:22.919648Z", "deleted_at": null, "sha1_hash": "723839e151c5e52d5bca0e162ebba6b98b08919f", "title": "Prince of Persia: Infy Malware Active In Decade of Targeted Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 988175, "plain_text": "Prince of Persia: Infy Malware Active In Decade of Targeted\r\nAttacks\r\nBy Tomer Bar, Simon Conant\r\nPublished: 2016-05-02 · Archived: 2026-04-06 00:44:45 UTC\r\nAttack campaigns that have very limited scope often remain hidden for years. If only a few malware samples are\r\ndeployed, it’s less likely that security industry researchers will identify and connect them together.\r\nIn May 2015, Palo Alto Networks WildFire detected two e-mails carrying malicious documents from a genuine\r\nand compromised Israeli Gmail account, sent to an Israeli industrial organization. One e-mail carried a Microsoft\r\nPowerPoint file named “thanks.pps” (VirusTotal), the other a Microsoft Word document named “request.docx”.\r\nAround the same time, WildFire also captured an e-mail containing a Word document (“hello.docx”) with an\r\nidentical hash as the earlier Word document, this time sent to a U.S. Government recipient.\r\nBased on various attributes of these files and the functionality of the malware they install, we have identified and\r\ncollected over 40 variants of a previously unpublished malware family we call Infy, which has been involved in\r\nattacks stretching back to 2007. Attacks using this tool were still active as of April 2016.\r\nAttack Technique\r\nThe attacks we have identified carrying Infy begin with a spear-phishing e-mail carrying a Word or PowerPoint\r\ndocument. The attached document file contains a multi-layer Self-Extracting Executable Archive (SFX), and\r\ncontent attempting to social engineer the recipient into activating the executable. In this example, the PPS file,\r\nwhen clicked, opens in “PowerPoint Show” mode. The user sees a PowerPoint page (Figure 1) that mimics a\r\npaused movie, and is tricked into clicking “Run” (Figure 2), which allows the embedded SFX file to execute.\r\nhttps://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/\r\nPage 1 of 13\n\nFigure 1 PowerPoint page mimics a paused video\r\nFigure 2 User tricked into running embedded SFX EXE\r\nOne of the SFX layers is encrypted with the key “1qaz2wsx3edc”. The package (Figure 3) typically includes a\r\nfake readme.txt file as camouflage (for example, impersonating an Aptana Studio application), and in some\r\ncampaigns, image or video files (Figure 4). The executable typically has a filename pattern ins[*].exe where * are\r\nrandom digits of up to 4 characters. The main payload is a DLL file with a typical filename pattern mpro[*].dll\r\nwhere * are random digits of up to 3 characters (early versions used a .cpl extension).\r\nFigure 3 Embedded SFX contents\r\nhttps://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/\r\nPage 2 of 13\n\nFigure 4 Some campaigns include image or video files as camouflage\r\nThe executable installs the DLL, writes to the autorun registry key, and doesn’t activate until a reboot. After\r\nreboot, it first checks for antivirus and then connects to the C2. It starts collecting environment data, initiates a\r\nkeylogger, and steals browser passwords and content such as cookies, before exfiltrating the stolen data to the C2\r\nserver.\r\nThe initially-observed “thanks.pps” example tricks the user into running the embedded file named ins8376.exe\r\nwhich loads a payload DLL named mpro324.dll.\r\nInfrastructure\r\nIn our initial samples, we observed C2 servers updateserver3[.]com and us1s2[.]strangled[.]net.\r\nOther campaigns use a combination of Dynamic DNS providers, third-party site hosting services, and apparently\r\nfirst-party-registered domains as C2 servers.\r\nAnalysis of hosting and WHOIS data (Figure 5) led to a total of 12 related first-party-registered domains used for\r\nC2 servers:\r\nbestbox3[.]com\r\nmyblog2000[.]com\r\nsafehostonline[.]com\r\nupdateserver3[.]com\r\nshort-name[.]com\r\nbestupdateserver2[.]com\r\nbestwebstat[.]com\r\nupdatebox4[.]com\r\nbestupdateserver[.]com\r\nshort-url20[.]com\r\nupdateserver1[.]com\r\nbox4054[.]net\r\nAges of these domains suggest that some may have been used for malicious activity back as far as early 2010.\r\nWe found a report by the Danish Defense Intelligence Service’s Center for Cybersecurity, which had observed\r\nsimilar attacks against Danish Government targets, and documented a small portion of the same C2 infrastructure.\r\nhttps://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/\r\nPage 3 of 13\n\nFigure 5 Infrastructure and Actor information related to Infy Attacks\r\nWe initially found a file with an identical hash as the originally-observed PowerPoint file, but a different filename\r\n(“syria.pps”), uploaded to VirusTotal (Figure 6) also in May of 2015. A characteristic observed across these\r\ncampaigns is that the actor puts deliberate effort into the specific geographic targeting, with region-specific attack\r\ncontent.\r\nhttps://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/\r\nPage 4 of 13\n\nFigure 6 Powerpoint file uploaded to VirusTotal with a different file name\r\nWe were subsequently able to pivot and associate additional malware and campaigns based on infrastructure,\r\nhashes, strings, and payload links and similarities. The most conclusive evidence that all of these are linked is\r\nfound in a single key, used to encode strings within the malware across all examples. Only the offset varies: older\r\nversions encode just the C2 data, newer versions encode most strings, and some double-encode the C2 data with\r\ntwo different offsets. The following script can be used to decode these strings:\r\nhttps://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/\r\nPage 5 of 13\n\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\nimport string\r\nimport base64\r\nFIRST_PHASE =\r\n\"OQTJEqtsK0AUB9YXMwr8idozF7VWRPpnhNCHI6Dlkaubyxf5423jvcZ1LSGmge\"\r\nSECOND_PHASE = \"\" +\r\n\"PqOwI1eUrYtT2yR3p4E5o6WiQu7ASlDkFj8GhHaJ9sKdLfMgNzBx0ZcXvCmVnb“\r\ndef decrypt(input, offset=-10):\r\n    result = \"\"\r\n    for i, c in enumerate(input):\r\n        i = i % 62 + 1\r\n        try:\r\n         index = FIRST_PHASE.index(c)\r\n     except ValueError:\r\n         result += c\r\n         continue\r\n     translated = SECOND_PHASE[(index - i + offset) % len(SECOND_PHASE)]\r\n     result += translated\r\nreturn result\r\nBased on this specific encoding technique and key, we have identified related Infy samples from as early as mid\r\n2007 (Figure 7), although more frequent related activity is observed after 2011. Historic registration of the C2\r\ndomain associated with the oldest sample that we found, fastupdate[.]net, suggests that it may have been\r\nassociated with malicious activity as far back as December 2004.\r\nOver the years, we notice continued development and feature improvement in the code. For instance, support for\r\nthe new Microsoft Edge browser was recently introduced in “version 30”.\r\nhttps://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/\r\nPage 6 of 13\n\nFigure 7 Oldest related example found dates to 2007\r\nMost of the associated malware samples dating back over the last five years were eventually detected by antivirus\r\nprograms, but in most cases with a generic signature. Other examples are named with multiple unrelated signature\r\nclassifications, including Win32/Tuax.A (very old versions), W32/ADOKOOB, Win32/Cloptern.A \u0026 B (old\r\nversions), TR/Graftor.106254, TR/Spy.Arpnatis.A, and Win32/Skeeyah.A!bit.\r\nWe refer to the malware as “Infy” because the actor used this string in multiple locations, including filenames\r\n(“infy74f1.exe” - Infy version 7.4 F1), C2 strings (“subject=INFY M 7.8”), and C2 folder names.\r\nAttribution\r\nThe Gmail account sending the emails in the attack that we first observed (Figure 8), belongs to an Israeli victim.\r\nThat account was itself victim of an e-mail-borne attack that compromised the user's system and e-mail account.\r\nFigure 8 First-observed attack, via email\r\nAmong WHOIS records for first-party domains used in the C2 infrastructure, we find three email accounts bearing\r\na strong similarity in naming pattern:\r\nThe WHOIS records with the first two email addresses (and other C2 domains) have apparently fake WHOIS\r\ncontent. The “aminjalali_58 (at) yahoo.com” email address is associated with 6 known C2 domains, dating back to\r\n2010. Unlike the fake WHOIS examples, this example has content more consistent with the email address:\r\namin jalali\r\nsafehostonline\r\nhttps://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/\r\nPage 7 of 13\n\nafriqa street number 68\r\ntehran\r\nTehran\r\n19699\r\nIR\r\n+98.935354252\r\naminjalali_58 (at) yahoo.com\r\nThe name “Amin Jalali” is not unique, though it does appear to have Iranian-specific origins. We find profiles and\r\nartifacts combining the name and “58”, which may (or may not) be the same individual, and all of which have\r\nIranian links.\r\nWhen we look at domains on neighboring IP addresses from known first-party C2s, we observe numerous Iranian\r\ndomains, suggesting possibly an Iranian hosting reseller – and in at least one case, a free Iranian web host (Figure\r\n9).\r\nFigure 9 Neighbor IP addresses with Iranian domains\r\nConclusion\r\nWe have enough evidence to conclude a pattern of behavior following extensive analysis of this malware and C2\r\ninfrastructure between these samples. The activity has been observed over almost 10 years, with the malware\r\nbeing constantly improved and developed. The low-volume of activity, deliberate campaign focus and content\r\ntailoring, and nature of targets hints at the goals of this actor.\r\nWe believe that we have uncovered a decade-long operation that has successfully stayed under the radar for most\r\nof its existence as targeted espionage originating from Iran. It is aimed at governments and businesses of multiple\r\nnations as well as its own citizens.\r\nPalo Alto Networks customers are protected from this threat in the following ways:\r\n1. WildFire accurately identifies all malware samples related to this operation as malicious.\r\n2. Domains used by this operation have been flagged as malicious in Threat Prevention.\r\n3. AutoFocus users can view malware related to this attack using the “Infy tag.\r\nhttps://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/\r\nPage 8 of 13\n\nIOCs can be found in the appendices of this report.\r\nSpecial thanks to Michael Scott for assistance with Maltego in this investigation.\r\nAppendix 1 - Detailed Infy Malware Analysis\r\nAlthough Infy is fundamentally one malware family, we observe two distinct variants. The regular variant “Infy”\r\nis versioned by the malware author 1-30 (1999 -15999 sub-versions). In addition, we observe a distinct variant\r\n“Infy M” developed in parallel with the regular variant since about 2013. Infy M appears to be a full featured\r\nvariant, deployed against high-value targets. It includes more functionality: while the original variant has no\r\nremote control, “M” adds the ability for the C2 to issue commands to the malware via C2 PHP scripts; HTTP\r\nsupport; a hidden GUI control panel; and FTP client.\r\nInfy\r\nDetailed analysis of a recent Infy sample (version 30, active from 24 February 2016):\r\nThe initial executable first checks for installed antivirus programs. It uses the Windows API function\r\n“GetFileattributeA” on a list of several common AV installation directories, testing any positive return with\r\n“file_attribute_directory\". Depending on which AV Infy finds, it will either abort, or install the malicious Infy\r\nDLL using a different technique. This concern with avoiding client-AV detection, skipping installation rather than\r\nrisk alerting, is somewhat noteworthy (as opposed to the relatively common sandbox-detection techniques). The\r\nEXE installs the DLL, writes to the autorun key, and does nothing else until restart.\r\nUpon restart, the EXE loader executes the main function, exported by the DLL malware file DLL (previously we\r\nobserved functions named “start1/start2/start3”) with the parameter /rcv (this version uses a decryption offset of\r\n19). It installs itself in “cyberlink” directory.\r\nIt will then search for files with “bak”, “csv”, or “cnt”, extensions. If the parameter “/rcv” was used, it starts a\r\nkeylogger (the keylogger uses a window name “TRON2VDLLB” (GetMessageA/translate\r\nmessage/DispatchMessageA). It next registers hotkeys, and gets clipboard data. Get_browser_data steals\r\npasswords, forms, cookies, history (from Microsoft Edge, Internet Explorer, Google Chrome, Opera, and Firefox).\r\nThe malware connects to the C2 every five minutes using HTTP, posting:\r\n\u003ccomputer name\u003e\r\n\u003cuser name\u003e\r\ndn = n1\r\nver = 30\r\nlfolder= f\r\ncpuid=\r\nmachineguid (from hklm\\SOFTWARE\\Microsoft\\Cryptography\\machineguid)\r\ntt= time\r\nAfter posting data about the infected system to the C2 server, the malware downloaded an update named\r\n“v30nXf1.tmp” file to %temp%\\drvtem64.tmp. If the download is successful, the malware writes “OK,\r\nhttps://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/\r\nPage 9 of 13\n\nDownloaded [url file]” to log file. It then connects again, with a similar posting format, but this time also adding\r\n“tt=” (time) and “cpuid=”. It installs the downloaded file with parameter \"-sp/ins -pBA5a88E\". A third connection\r\nadds “sfolder”, “subject”, and this time exfiltrates data in the “body=” parameter.\r\nEach variant of Infy uses specific “cover” camouflage to with file metadata that makes it appear as though it is\r\nlegitimate software. In this case, the file used the software name “Cyberlink,” and a description of\r\n“CLMediaLibrary Dynamic Link Library” and listing version 4.19.9.98.\r\nInfy M\r\nWe observed the Infy M variant with versions 6.1 through 7.8, adding features including screen capture, document\r\ncapture \u0026 upload, and microphone capture. Infy M supports the following C2 commands:\r\nASIDLE - idle\r\nASDIR – directory list of files\r\nASPUT – download file\r\nASGET – upload file\r\nASZIPGET – upload as zip\r\nASDELETE – delete file\r\nASRENAME – rename file\r\nASRUN – execute file\r\nASENDTASK – terminate process\r\nASZIP – zip file\r\nASSHELL – remote shell\r\nThe “M” variant uses mostly distinct C2 servers from the regular Infy samples (although very recently, we also\r\nobserved version 7.8 using C2 “youripinfo.com”, previously seen as C2 for the regular variant):\r\nbestupdateserver[.]com – Observed 2013-12-09\r\nwww.bestupdateserver[.]com - Observed 2013-04-26\r\nbestbox3[.]com – Observed 2015-08-25\r\nwww.bestupdateserver2[.]com - Observed 2015-05-22\r\nbestupdateserver2[.]com – Observed 2014-07-16\r\nAnalysis of an early version of “M”, 6.2\r\nVersions 6.x of the Infy M variant camouflage themselves with file and window names set to Borland hcrtf. They\r\nuse a single EXE, rather than a loader EXE and payload DLL as seen in the original variant. The malware initially\r\nperforms a check to see if the victim as already infected by checking for window names “Borland hcrtf 6.x” or\r\n“Macromedia Swsoc 7.x”.\r\nWe have identified five hidden GUI control forms in Infy M, one of which is not used. The first form includes\r\nthree possible parameters. Parameter “/ins” installs the Trojan. It first creates and starts the service and on\r\nWindows versions prior to Vista it requires the “/s” parameter. After installing itself, the malware deletes any\r\nprevious Infy installations. The does this by terminating processes and deleting Infy files in %system32%,\r\nhttps://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/\r\nPage 10 of 13\n\n%appdata%, %appdata%\\hcrtf (for example, pre-6.1 files incsy32.exe, incs32.exe, ntvdn.exe, grep.exe, hcrtf.exe,\ngrep.dll). It then renames the ini file from grepc.ini to hcrtfc.ini. It completes clean-up by deleting the “inverse\nSer32”, “grep”, and “hcrtf” services. Finally, it downloads and executes the update file from the C2 at\n/infy/update.php.\nThe /c (copy) parameter sets up autostart for the malware by writing to registry key “run” (Windows Vista and\nabove) or “runservices” (versions prior to Windows Vista). The /s (service) parameter creates and starts the service\n(Windows Vista and later). At this point, the malware waits, and handles any commands issued over HTTP from\nthe C2 (for example, execute a remote shell upon receiving command “ASSHELL”).\nThe second form monitors for new or modified document files using “CreateIoCompletionPort” and\n“ReadDirectoryChangesW”. It targets document file types .doc, .xls , .jpg, .jpe, .txt, .htm, .pgp, .pdf, .zip, and .rar\nand ZIP compresses them (using the password “Z8(2000_2001uI”) into a file located at \\Program\nFiles\\Yahoo!\\Messenger\\Profiles\\yfsbg\\yfsbg\\3dksf.tmp.\nThe third form takes a screen captures and stores it the “yfsbg” folder as 4dksf.tmp. It the uploads the screenshot\nand document-capture files using POST (instead of using GET as seen in the regular variants) to /infy/fms.php.\nThe fourth form is not used. The fifth form is used for microphone capture.\nThe 7.x versions install themselves as swsoc.exe (7.4 also seen using infy74f1.exe) at \\all users\\application data\\macromedia\\8080\\swsoc.exe. They also create a subfolder “fsbg”, where they\nstore the copies of documents opened by the user. These are stored with their CRC value as their filename, RAR\ncompressed with the same password “Z8(2000_2001uI”.\nWe observed a server reply with error in the PHP, giving us some of their underlying file structure:\n**Warning**: Cannot modify header information - headers already sent by (output started at\n/home/bestupda/public_html/infy/fms.php:115) in **/home/bestupda/public_html/infy/fms.php** on line\n**116** \nUpgrade requests are observed with this syntax (here, version 6.2 to the latest version):\nhttp://www.bestupdateserver.com/infy/update.php?cn=\u0026ver=6.2\u0026u=27/3/2016 20:37:23\nAppendix 2 – Observed Hashes\nA list of hashes for associated files observed in this operation can be found here.\nAppendix 3 – Observed Infy C2 Domains\nanalyse1[.]mooo[.]com\nbest[.]short-name[.]com\nbest2[.]short-name[.]com\nbest2[.]short-url20[.]com\nbest3[.]short-url20[.]com\nhttps://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/\nPage 11 of 13\n\nbest4[.]short-url20[.]com\r\nbest5[.]short-url20[.]com\r\nbest6[.]short-url20[.]com\r\nbest7[.]short-url20[.]com\r\nbestbox3[.]com\r\nbestupdateserver[.]com\r\nbestupdateserver2[.]com\r\nbestupser[.]awardspace[.]info\r\nbestwebstat[.]com\r\nbl2pe[.]bestwebstat[.]com\r\nbox4054[.]net\r\nc1[.]short-url20[.]com\r\ndbook[.]soon[.]it\r\ndsite[.]dyx[.]comextd[.]mine[.]bz\r\nfastecs[.]netfirms[.]com\r\nfastupdate[.]net\r\ngstat[.]strangled[.]net\r\nlost[.]updateserver1[.]com\r\nlu[.]ige[.]es\r\nmand[.]pwnz[.]org\r\nmyblog2000[.]com\r\nns2[.]myblog2000[.]com\r\nnus[.]soon[.]it\r\nsafehostonline[.]com\r\nsecup[.]soon[.]it\r\nshort-name[.]com\r\nshort-url20[.]com\r\nupdate[.]info[.]gf\r\nupdatebox4[.]com\r\nupdateserver1[.]com\r\nupdateserver3[.]com\r\nus1[.]short-name[.]com\r\nus12[.]short-url20[.]com\r\nus13[.]short-url20[.]com\r\nus15[.]short-url20[.]com\r\nus16[.]short-url20[.]com\r\nus1s2[.]strangled[.]net\r\nwep[.]archvisio[.]com\r\nwep[.]soon[.]it\r\nwpstat[.]mine[.]bz\r\nwpstat[.]strangled[.]net\r\nwww[.]fastupdate[.]net\r\nhttps://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/\r\nPage 12 of 13\n\nwww[.]updateserver1[.]com\r\nyouripinfo[.]com\r\nSource: https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/\r\nhttps://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/" ], "report_names": [ "prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks" ], "threat_actors": [ { "id": "f763fd1f-f697-40eb-a082-df6fd3d13cb1", "created_at": "2023-01-06T13:46:38.561288Z", "updated_at": "2026-04-10T02:00:03.024326Z", "deleted_at": null, "main_name": "Infy", "aliases": [ "Operation Mermaid", "Prince of Persia", "Foudre" ], "source_name": "MISPGALAXY:Infy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "59c9f31b-e032-44b9-bf3b-4f2cb3d17e39", "created_at": "2022-10-25T16:07:23.734244Z", "updated_at": "2026-04-10T02:00:04.731031Z", "deleted_at": null, "main_name": "Infy", "aliases": [ "APT-C-07", "Infy", "Operation Mermaid", "Prince of Persia" ], "source_name": "ETDA:Infy", "tools": [ "Foudre", "Infy", "Tonnerre" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439136, "ts_updated_at": 1775792182, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/723839e151c5e52d5bca0e162ebba6b98b08919f.pdf", "text": "https://archive.orkl.eu/723839e151c5e52d5bca0e162ebba6b98b08919f.txt", "img": "https://archive.orkl.eu/723839e151c5e52d5bca0e162ebba6b98b08919f.jpg" } }