{
	"id": "10873bab-45bc-4938-b3f3-6cf7da36aa3b",
	"created_at": "2026-04-06T00:21:24.547206Z",
	"updated_at": "2026-04-10T03:36:22.90987Z",
	"deleted_at": null,
	"sha1_hash": "d3da19f6754adbd5db53617ebb96081c185f6939",
	"title": "Prince of Persia: The Sands of Foudre",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2094456,
	"plain_text": "Prince of Persia: The Sands of Foudre\r\nBy Jay Rosenberg\r\nPublished: 2018-08-17 · Archived: 2026-04-05 18:19:37 UTC\r\nIntroduction\r\nIn the past couple years, Palo Alto Networks reported on the “Prince of Persia” malware campaign which is\r\nbelieved to be of Iranian origin and ongoing for more than 10 years. The original research, published in 2016,\r\ncalled the malware Infy and their second report, published in 2017, named the upgraded malware Foudre. The\r\nname “Foudre” comes from a string in the binary used to check if the computer is already infected. At the time of\r\ntheir blog post, Palo Alto Networks stated the version of Foudre they observed were versions 1 and 2. We have\r\nfound new evidence of the Prince of Persia campaign active by finding a new version of the Foudre malware,\r\nversion 8.\r\nIn this blog post, we are only going to focus on the new, unique, interesting features of the new version of Foudre,\r\nand its related campaign\r\n(Internal version name of Foudre v8)\r\nNo to The Forced Hijab\r\nSimilarly to the samples noted in previous reports, this new malware also comes packaged in a WinRAR SFX\r\narchive including multiple malicious binaries and a media file. The media file in this case is a video in the MP4\r\nformat showing a woman in Iran walking around and at the end pulling off her hijab. In the video, there is text\r\nwritten in Farsi with a hashtag, اجباری حجاب به بنه#, literally translating to “no to the forced hijab.” This hashtag is\r\nin reference to protesters in Iran who are protesting the mandatory use of the hijab for women and the video is\r\nmeant to distract the victim while the Foudre malware gets installed in the background.\r\nhttps://www.intezer.com/prince-of-persia-the-sands-of-foudre/\r\nPage 1 of 8\n\n(Screenshot from the video bundled in the malware)\r\nFoudre is a remote access tool and has the ability to remotely execute commands, steal information about the\r\ninfected target (such as keystrokes, process information, etc), and auto-update itself. Most of the code and\r\nfunctionality from the previous versions of Foudre and Infy was reused and can be read about in the reports linked\r\nabove, so we are only going to focus on the new, unique, interesting features and the linkage of code reuse from\r\nprevious versions.\r\nCode Reuse\r\nAfter uploading the WinRAR SFX to Intezer Analyze™, the files inside were statically extracted which reveals 3\r\nbinaries, a lockbox3 signature, and the video mentioned above.\r\nhttps://www.intezer.com/prince-of-persia-the-sands-of-foudre/\r\nPage 2 of 8\n\n(https://analyze.intezer.com/#/analyses/115debab-ca0a-423a-983a-c40c7d751109)\r\nUsing our new Show Code feature, we can see code overlapping with Foudre and Infy.\r\n(Code overlap with Foudre)\r\nhttps://www.intezer.com/prince-of-persia-the-sands-of-foudre/\r\nPage 3 of 8\n\n(Code overlap with Infy)\r\nNew Features/Changes\r\nFirst of all, the main binary of the upgraded Foudre malware is mostly undetected on VirusTotal with only 3/67\r\ndetections.\r\nhttps://www.intezer.com/prince-of-persia-the-sands-of-foudre/\r\nPage 4 of 8\n\n(VirusTotal)\r\nIn the latest version of Foudre, there are 2 modules. One of the modules (i7234.dll) has the export “D1” and the\r\nother module (d388) exports “D2” as a function. We are going to refer to the different binaries based on their\r\nexports, D1 and D2. The third binary never gets launched and is still under investigation. We will release more\r\ndetails about it on a further date. The WinRAR SFX and D1 module only get executed once. The following\r\nfeatures/changes are spread across the WinRAR SFX, D1, and D2:\r\nWinRAR SFX Dropper\r\n1. WinRAR SFX has icon of girl with hijab from video\r\n2. Extracts files\r\n3. Launches D1 ( i7234.dll) with rundll32 and executes export D1\r\nD1\r\n1. D1 executes the mp4 file\r\n2. Checks if finds a window “TNRRDPKE2” means it’s already running\r\n3. Copies D2 and key to %APPDATA% with filenames a.n and p.k and creates a shortcut in the folder named\r\n“an.lnk” C:WINDOWSsystem32rundll32.exe a.n D2 838238125\r\n4. Deletes these files from TEMP folder\r\n5. Stores name of D2 (a.n) in HKEY_CURRENT_USERSoftwaretemp in key called “ran2”\r\nhttps://www.intezer.com/prince-of-persia-the-sands-of-foudre/\r\nPage 5 of 8\n\n6. Checks HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun for SnailDriver\r\n7. Creates autorun for an.lnk\r\n8. Checks for %PROGRAMFILES%Kaspersky Lab\r\n9. Launches D2 with rundll32 “C:WINDOWSsystem32rundll32.exe a.n D2 838238125”\r\nD2 has mostly the same features as reported in the older versions of Foudre but this table shows the main changes:\r\nFoudre Version 2 Version 8\r\nBrowser Stealer\r\nSupport\r\nMicrosoft Edge, Internet Explorer,\r\nMozilla Firefox and, Google Chrome\r\nOpera, Microsoft Edge, Internet Explorer,\r\nMozilla Firefox and, Google Chrome\r\nDomain Generation\r\nAlgorithm\r\nYes Yes, different (see below)\r\nVirusTotal\r\nDetections\r\n41/66 3/67\r\nString Encryption Yes No\r\nAlready Running\r\nDetection String\r\nTNRRDPKE TNRRDPKE2\r\nDomain Generation Algorithm (DGA)\r\nThe DGA used by version 8 of Foudre has only changed slightly from the previous versions.\r\nIn the previous versions, the DGA algorithm was calculated by the following algorithm (credit to Esmid\r\nIdrizovic):\r\nToHex(CRC32(“NRV1” + year + month + week_number)) + (“.space”|”.net”|”.top”)\r\nThere are two minor differences now when calculating the C2. NRV1 was replaced with NRTV1 and .dynu.net\r\nwas added as suffix to the domain making the algorithm now:\r\nToHex(CRC32(“NRTV1” + year + month + week_number)) + (“.space”|”.net”|”.top”|”.dynu.net”)\r\nA few of the calculated domains were added to the bottom of the report in the IoCs section. The domains up to\r\nweek of September 9, 2018 (week 35) have been registered in Panama and resolve to the same IP address\r\n185[.]61[.]154[.]26. The oldest domain using this algorithm we could find that was registered was registered for\r\nthe week of November 5, 2017.\r\nhttps://www.intezer.com/prince-of-persia-the-sands-of-foudre/\r\nPage 6 of 8\n\nConclusion\r\nDue to the content of the video and the information from the reports on previous versions of Foudre, we believe\r\nthe targets are mostly Iranian citizens. We have registered some of the future generated domains to prevent the\r\nattack, and will update the post with information in regards to the infected victims.\r\nIoCs\r\nFiles:\r\nWinRAR SFX c38533b85e4750e6f649cc407a50031de0984a8f3d5b90600824915433a5e218\r\nD1 DLL a02ce6768662ef250d248c158f26129dd4dfab30845d07962fbfe7aa19b16db9\r\nD2 DLL c7279a32329ebb1ab5c1cdbfbddb5a167e1505340c3ca72e837a222ff92665a6\r\nUnknown Binary cef161a220e019acc9ae79924a477c64aac2d6cc04126bb3f4a9f8452515f40f\r\nMP4 dbed2ca2e9c53dd72c3ed3ce60e603c6c91c80152f924d97d8514781e6d9e26f\r\nlockbox3 signature d2645d16e869addd099727c3c58438c2f6935d92c00f9e4b237ef498de1dad87\r\nC\u0026Cs:\r\n185[.]61[.]154.26\r\nns1[.]cf75d89b[.]space\r\nns2[.]cf75d89b[.]space\r\nWeek 32 (Aug 5) – fe19f97f[.]space\r\nWeek 33 (Aug 12) – 891ec9e9[.]space\r\nWeek 34 (Sept 2) – 177a5c4a[.]space\r\nWeek 35 (Sept 9) – 607d6cdc[.]space\r\nhttps://www.intezer.com/prince-of-persia-the-sands-of-foudre/\r\nPage 7 of 8\n\nWeek 36 (Sept 16) – f8b65751[.]space\r\nWeek 37 (Sept 23) – 8fb167c7[.]space\r\nWeek 38 (Sept 30) – 1f0e7a56[.]space\r\nWeek 39 (Oct 7) – 68094ac0[.]space\r\nWeek 40 (Oct 14) – 1d8bfc20[.]space\r\nSource: https://www.intezer.com/prince-of-persia-the-sands-of-foudre/\r\nhttps://www.intezer.com/prince-of-persia-the-sands-of-foudre/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.intezer.com/prince-of-persia-the-sands-of-foudre/"
	],
	"report_names": [
		"prince-of-persia-the-sands-of-foudre"
	],
	"threat_actors": [
		{
			"id": "f763fd1f-f697-40eb-a082-df6fd3d13cb1",
			"created_at": "2023-01-06T13:46:38.561288Z",
			"updated_at": "2026-04-10T02:00:03.024326Z",
			"deleted_at": null,
			"main_name": "Infy",
			"aliases": [
				"Operation Mermaid",
				"Prince of Persia",
				"Foudre"
			],
			"source_name": "MISPGALAXY:Infy",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "59c9f31b-e032-44b9-bf3b-4f2cb3d17e39",
			"created_at": "2022-10-25T16:07:23.734244Z",
			"updated_at": "2026-04-10T02:00:04.731031Z",
			"deleted_at": null,
			"main_name": "Infy",
			"aliases": [
				"APT-C-07",
				"Infy",
				"Operation Mermaid",
				"Prince of Persia"
			],
			"source_name": "ETDA:Infy",
			"tools": [
				"Foudre",
				"Infy",
				"Tonnerre"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434884,
	"ts_updated_at": 1775792182,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d3da19f6754adbd5db53617ebb96081c185f6939.pdf",
		"text": "https://archive.orkl.eu/d3da19f6754adbd5db53617ebb96081c185f6939.txt",
		"img": "https://archive.orkl.eu/d3da19f6754adbd5db53617ebb96081c185f6939.jpg"
	}
}