{
	"id": "b661a480-ac4b-4f9e-8886-5ee3810fa830",
	"created_at": "2026-04-06T02:13:11.630512Z",
	"updated_at": "2026-04-10T03:36:22.883021Z",
	"deleted_at": null,
	"sha1_hash": "fccbbc599f423cee3ff6e1db49597924ad96e8c1",
	"title": "Prince of Persia – Game Over",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 571073,
	"plain_text": "Prince of Persia – Game Over\r\nBy Tomer Bar, Lior Efraim, Simon Conant\r\nPublished: 2016-06-28 · Archived: 2026-04-06 01:51:21 UTC\r\nSummary\r\nUnit 42 published a blog at the beginning of May titled \"Prince of Persia,\" in which we described the discovery of\r\na decade-long campaign using a formerly unknown malware family, Infy, that targeted government and industry\r\ninterests worldwide.\r\nSubsequent to the publishing of this article, through cooperation with the parties responsible for the C2 domains,\r\nUnit 42 researchers successfully gained control of multiple C2 domains. This disabled the attacker’s access to\r\ntheir victims in this campaign, provided further insight into the targets currently victimized in this operation, and\r\nenabled the notification of affected parties.\r\nPost Publication\r\nIn the week following the publication of the original blog, we observed no unusual changes to the C2\r\ninfrastructure. Existing domains did move to new IP addresses, as we had previously seen periodically. Some new\r\ninstall domains were added, adhering to naming conventions of current domains (see appendix for new IOCs).\r\nThe attackers developed a new version (31), and we observed this deployed against a single Canadian target.\r\nThe file descriptions remained essentially the same (“CLMediaLibrary Dynamic Link Library V3”). Most\r\nimportantly, there was no change to the encoding key (now using offset 20, and offset 11 for second pass against\r\nURL encoding) that we had observed being used for the entire decade-long campaign, and documented in our\r\nprevious blog. From this we conclude that the attackers were unaware of our initial report.\r\nSinkhole\r\nThrough cooperation with the parties responsible for the C2 domains, we took control of all but one of them,\r\ntransferring the A records to a server we controlled. This prevented the attackers from being able to subsequently\r\nmake any further changes to the domain configurations, issue commands to victims, or capture any further data for\r\nthe majority of victims. An analysis of connections after transfer suggests that the attackers may have used a third-party service to try to understand why they had suddenly lost almost all of their traffic. Figure 1 shows that tool, a\r\ngeographic representation of victim-C2 traffic, with all but one at that time now communicating with our sinkhole\r\nserver.\r\nhttps://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/\r\nPage 1 of 14\n\nFigure 1 Graphical representation of victim traffic to C2\r\nWe have since transferred sinkhole control to Shadowserver, whom we thank for subsequent victim notification \u0026\r\nremediation (https://www.shadowserver.org/wiki/pmwiki.php/Involve/GetReportsOnYourNetwork).\r\nVictims\r\nWe were able to analyze victim C2 traffic to understand who were victims of the Infy campaign. We identified 456\r\nmalware agents installed on 326 victim systems, in 35 countries. Figure 2 shows a geographical breakdown of\r\nvictim locations. We noted in our original blog the large amount of targeting of Iranian citizens in this campaign,\r\nwe observed almost one-third of all victims to be Iranian. Also of note was the low overall volume of victims,\r\ncompared to, for example, crimeware campaigns.\r\nFigure 2 Geographic location of victims. Please note that New Zealand has been omitted from this map only\r\nbecause we observed no victim activity there.\r\nVersions\r\nhttps://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/\r\nPage 2 of 14\n\nIn our original blog, we noted two distinct primary variants of the Infy malware. In addition to the original “Infy”\r\nvariant, we also see the newer, more sophisticated, interactive, and fuller-featured “Infy M” variant deployed\r\nagainst apparently-higher-value targets. Overall, 93% of all victims were infected with Infy, and 60% with Infy\r\n“M” (Figure 3). Combined with the low total number of victims, this suggests a great deal of care given to each\r\nindividual campaign target. The large number of victims with both variants may relate to their complimentary\r\nfeature set, or represent an “upgrade” path on victims from the original variant infection, later adding the “M”\r\nvariant as targets appeared more compelling to the attackers.\r\nFigure 3 Breakdown of Infy vs. Infy \"M\" infections\r\nFor the Infy “M” variant, we note that the majority of targets are using the latest version (7.8), and that none are\r\nusing the older 6.x versions at all (Figure 4). This suggests that these higher-value targets are paid much more\r\nattention, being kept up-to-date with the latest version.\r\nIn contrast, for the more basic original Infy variant, we note a full spectrum of versions installed (Figure 5), with\r\nmany victims on older versions – including the original, decade-old V1 - suggesting much less concern is paid to\r\nthese individual targets (note that we did observe a small number of the older 6.x versions but these do not\r\nannounce their version when connecting).\r\nhttps://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/\r\nPage 3 of 14\n\nFigure 4 Infy \"M\" Victim versions\r\nFigure 5 Infy\"Original\" Victim versions\r\nGame Over\r\nhttps://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/\r\nPage 4 of 14\n\nShortly after the takedown, as well as a new Infy version (31), we also observed the registration of multiple\r\ndomains using a previously-seen pattern, against known campaign IP addresses. Almost every domain in the\r\npattern-range box4035[.]net – box4090[.]net (138.201.0.134). These were not observed in any sample C2 lists\r\nhowever. Bestwebstat[.]com was sinkholed by another operator.\r\nSome victims infected with Infy versions 15-24 still used the C2 server us1s2[.]strangled[.]net, which remained in\r\nthe hands of the attacker. In early June the attackers used this C2 to issue instructions to download new Infy “M”\r\nversion 8.0 from us1s2[.]strangled[.]net/bdc.tmp. This was the first time we had observed an Infy variant being\r\ndirectly updated to Infy “M”. This used camouflage name “Macromedia v4”, changed from “v3” seen in Infy v31.\r\nThey also removed the voice recording capability in this version.\r\nuvps1[.]cotbm[.]com was used for data exfiltration, previously at 138.201.47.150, after publishing of our original\r\nblog moving to 144.76.250.205. It was also hosting malware updates at /themes/u.php.\r\nThey also added a curious C2 entry “hxxp://box” (note: defanged for publishing). It’s unclear how this should\r\nfunction; possibly a compromised victim intranet device, or the attackers have modified the HOSTS file on the\r\nvictim computer.\r\nAfter the take-down, the attackers began to add server IP addresses as well as domain names to their malware C2\r\nlist. They also slightly modified their ZIP password from “Z8(2000_2001ul” to “Z8(2000_2001uIEr3”. Their new\r\nmalware version added antivirus checks for Kaspersky Labs, Avast, and Trend Micro. The malware data capture\r\nnow searches for file extensions:\r\n.doc, .docx, .xls, .xlsx, .xlr, .pps, .ppt, .pptx, .mdb, .accdb, .db, .dbf, .sql, .jpg, .jpeg, .psd, .tif, .mp4, .3gp, .txt, .rtf,\r\n.odt, .htm, .html, .pdf, .wps, .contact, .csv, .nbu, .vcf, .pst, .zip, .rar, .7z, .zipx, .pgp, .tc, .vhd, .p12, .crt.pem,.key.pfx,\r\n.asc, .cer, .p7b, .sst, .doc, .docx, .xls, .xlsx, .xlr, .pps, .ppt, .pptx.\r\nand folder locations:\r\n:\\$recycle.bin, :\\documents and settings, :\\msocache, :\\program files, :\\program files (x86), :\\programdata,\r\n:\\recovery, :\\system volume information:\\users, :\\windows, :\\boot, :\\inetpub, :\\i386.\r\nThe malware continued to use the identical decryption key seen over the entire history of this campaign.\r\nMid-June, through cooperation with the parties responsible for the C2 domains and law enforcement, we were\r\nable to get the remaining C2 domains null-routed and the directly-IP-addressed server disabled. This is the end of\r\na decade-long campaign, though we naturally expect to see this actor back in some other guise before long.\r\nThanks to the Malware research team - Yaron Samuel, Artiom Radune, Mashav Sapir, Netanel Rimer – for\r\nassistance in the takedown.\r\nAppendix 1 – Exfiltration Algorithm\r\nThe malware uses a different algorithm than that used for encrypting the malware strings to encrypt the\r\nexfiltration data, including:\r\n1. Keylogger data + language.\r\nhttps://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/\r\nPage 5 of 14\n\n2. Malware logs - installation time, DLL path and name, log path, number of downloads, number of\r\nsuccessful/failed connections.\r\n3. Information about the victim computer: Time zone, list of drives and types, running processes, disk info.\r\nFirst the malware adds 1 to all bytes, then an encryption key is initialized based on the victim computer name (the\r\noffset in the key is calculated by sum of the computer name letters %key length). Then the key is used to encrypt\r\nthe data (see decrypt function). The encrypted data is then base64 encoded.\r\nExfiltration data decryption python code:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\nimport os,sys\r\nimport string\r\nimport base64\r\nimport fileinput\r\nFIRST_PHASE =\r\n\"OQTJEqtsK0AUB9YXMwr8idozF7VWRPpnhNCHI6Dlkaubyxf5423jvcZ1LSGmge\"\r\nSECOND_PHASE =\r\n\"PqOwI1eUrYtT2yR3p4E5o6WiQu7ASlDkFj8GhHaJ9sKdLfMgNzBx0ZcXvCmVnb\"\r\nglobal FULL_KEY\r\nFULL_KEY= \"\"\r\ndef sub_1_for_hex(str_input):\r\n    str_output = \"\"\r\n    for letter in str_input:\r\n        try:\r\n            str_output += chr(ord(letter)-1)\r\n        except:\r\n            print \"sub_1_for_hex func problem\"\r\n            continue\r\n    return str_output\r\ndef sum_comp_name(comp_name):\r\n    sum = 0\r\nhttps://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/\r\nPage 6 of 14\n\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n    for letter in comp_name:\r\n        sum+= ord(letter)\r\n    return sum\r\ndef init_key(comp):    \r\n    comp_name_sum = sum_comp_name(comp)\r\n    carry = divmod(comp_name_sum, 62)\r\n    index = carry[1] -1\r\n    end_key = FIRST_PHASE[:index]\r\n    key = FIRST_PHASE[index:]\r\n    key = key + end_key\r\n    key = key + key\r\n    return key\r\ndef decrypt(num_list,offset):\r\n    global FULL_KEY\r\n    input = \"\"\r\n    for num_str in num_list:\r\n        try:\r\n            input += num_str.decode('hex')\r\n        except:\r\n            input += ')'    \r\n    result = \"\"\r\n    for i, c in enumerate(input):\r\n        i = i % 62 +1\r\n        try:\r\n            index = FULL_KEY.index(c)-1\r\n        except ValueError:\r\nhttps://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/\r\nPage 7 of 14\n\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\n65\r\n66\r\n67\r\n68\r\n69\r\n70\r\n71\r\n72\r\n            result += c\r\n            continue\r\n        translated = SECOND_PHASE[(index - i +offset) % len(SECOND_PHASE)]\r\n        result += translated\r\n    return result  \r\ndef found_infy_enc_data(line):    \r\n    found_infy_str = \"show=\\\"---------- Administration Reporting Service \"\r\n    found_infy_index = line.find(found_infy_str)\r\n    if not found_infy_index==-1:\r\n        return True,found_infy_index\r\n    else:\r\n        return False,found_infy_index\r\ndef extract_comp_name(line):\r\n    comp = r\"\\xd\\xa-----\"\r\n    comp_index = line.find(comp)\r\n    comp_name = line[comp_index+len(comp):]\r\n    comp_name = comp_name[:comp_name.find(\"-----\")]\r\n    print \"(((=)))\" + comp_name\r\n    return comp_name\r\ndef extract_enc_data(line):\r\n    header = r\"\\xd\\xa_____\"\r\n    start_index = line.find(header)+len(header)\r\n    line = line[start_index:]\r\n    endindex = line.index(\"_____\\\" value=\")\r\n    line = line[:endindex]\r\n    return line\r\nhttps://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/\r\nPage 8 of 14\n\n73\r\n74\r\n75\r\n76\r\n77\r\n78\r\n79\r\n80\r\n81\r\n82\r\n83\r\n84\r\n85\r\n86\r\n87\r\n88\r\n89\r\n90\r\n91\r\n92\r\n93\r\n94\r\n95\r\n96\r\n97\r\n98\r\ndef write_enc_infy_data_to_file(dec_line,comp_name,filename):                \r\n    file1 = open(filename + \"\\\\\" + comp_name + \".txt\",'ab')\r\n    file1.writelines(dec_line)\r\n    file1.close()\r\ndef enc_wrapper(enc,comp_name):\r\n    global FULL_KEY\r\n    print FULL_KEY\r\n    FULL_KEY = init_key(comp_name)\r\n    enc_final = \"\"\r\n    for letter in enc:\r\n            if len(hex(ord(letter))[2:])==1:\r\n            enc_final += \"0\" + hex(ord(letter))[2:]  \r\n        elif len(hex(ord(letter))[2:])==2:\r\n            enc_final += hex(ord(letter))[2:]  \r\n        else:\r\n            print \"not good hex length\"\r\n            exit()\r\n    enc = enc_final.upper()\r\n    enc = enc.replace(\"2E\",\"21\")\r\n    enc = enc.replace(\"C5DC5A\",\"\")\r\n    enc = enc.replace(\"D03D00\",\"\")\r\n    enc = enc.replace(\"0B0E\",\"2121\")  \r\n    enc = enc.replace(\"01\",\"21\")\r\n    enc_len = len(enc)\r\n    enc_rev = \"\"\r\n    num_list = []\r\nhttps://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/\r\nPage 9 of 14\n\n99\r\n100\r\n101\r\n102\r\n103\r\n104\r\n105\r\n106\r\n107\r\n108\r\n109\r\n110\r\n111\r\n112\r\n113\r\n114\r\n115\r\n116\r\n117\r\n118\r\n119\r\n120\r\n121\r\n122\r\n123\r\n124\r\n    enc_print =\"\"\r\n    for i in range(0,enc_len/2):\r\n        enc_rev = enc[-2:]\r\n        if not enc_rev==\"0B\" and not enc_rev==\"0E\" and not enc_rev==\"00\" and not enc_rev==\"D0\":\r\n            enc_print +=enc_rev\r\n            num_list.append(enc_rev)\r\n        enc= enc[:-2]\r\n    #the first part is always ok\r\n    dec_str = decrypt(num_list,0)\r\n    final = sub_1_for_hex(dec_str)\r\n    index = final.find(\"OK: Sent\")\r\n    if index==-1:\r\n        print comp_name + \" - did not found OK: Sent !!!!\\n\\n\\n\\n\"\r\n        #exit()\r\n    decrypt_data = comp_name + \" ++==++ \" +  str(i) + \": \" + final + \"\\n\"\r\n    final_start = final[0:500]\r\n    if final_start in UNIQUE_DATA:\r\n          print comp_name + \" already have this data\"\r\n          return\r\n    UNIQUE_DATA.append(final_start)\r\n    index = final.find(\"Installed Date:\")\r\n    if index==-1:\r\n        for i in range(1,61):\r\n            dec_str = decrypt3(num_list,i)\r\n            final = sub_1_for_hex(dec_str)\r\n            ##print all 62 options\r\nhttps://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/\r\nPage 10 of 14\n\n125\r\n126\r\n127\r\n128\r\n129\r\n130\r\n131\r\n132\r\n133\r\n134\r\n135\r\n136\r\n137\r\n138\r\n139\r\n140\r\n141\r\n142\r\n143\r\n144\r\n145\r\n146\r\n147\r\n148\r\n149\r\n150\r\n            index2 = final.find(\"PROGRAM START:\")\r\n            index3 = final.find(\"Installed Date:\")\r\n            if not index2 ==-1 or not index3 ==-1:\r\n                decrypt_data += str(i) + \": \" + final + \"\\n\"\r\n    write_enc_infy_data_to_file(decrypt_data,comp_name,FILE_OUTPUT_NAME)\r\ndef read_enc_data_files():\r\n    for root,dir,files in os.walk(PDML_PATH):\r\n        for file in files:\r\n            filename = root+ \"\\\\\" + file\r\n            if os.path.isfile(filename):\r\n                print filename\r\n                for line in fileinput.input([filename]):\r\n                    line = line.strip()\r\n                    is_found,found_infy_index= found_infy_enc_data(line)\r\n                    if not is_found:\r\n                        continue\r\n                    line = line[found_infy_index:]\r\n                    #get computer name (for use in init_key() later)\r\n                    comp_name = extract_comp_name(line)\r\n                    UNIQUE_COMP.append(comp_name)\r\n                    #get the infy encrypted data\r\n                    line = extract_enc_data(line)\r\n                    #base64 decode enc_data\r\n                    dec_line = line.decode('base64')\r\n                    #append enc_data to file\r\n                    write_enc_infy_data_to_file(dec_line,comp_name,FILE_ENC_OUTPUT_NAME)\r\nhttps://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/\r\nPage 11 of 14\n\n151\r\n152\r\n153\r\n154\r\n155\r\n156\r\n157\r\n158\r\n159\r\n160\r\n161\r\n162\r\n163\r\n164\r\n165\r\n166\r\n167\r\n168\r\n169\r\n170\r\n171\r\n172\r\n173\r\n174\r\n175\r\n                    enc_wrapper(dec_line,comp_name)\r\ntry:  \r\n    read_enc_data_files()\r\nexcept:\r\n    print \"exception!!!!\"\r\nAppendix 2 –IoCs\r\nhttps://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/\r\nPage 12 of 14\n\nInfy version 31: f07e85143e057ee565c25db2a9f36491102d4e526ffb02c83e580712ec00eb27\r\nInfy “M” version 8.0: 583349B7A2385A1E8DE682A43351798CA113CBBB80686193ECF9A61E6942786A\r\n5.9.94.34\r\n138.201.0.134\r\n138.201.47.150\r\n144.76.250.205\r\n138.201.47.158\r\n138.201.47.153\r\nus1s2[.]strangled[.]net\r\nuvps1[.]cotbm[.]com\r\ngstat[.]strangled[.]net\r\nsecup[.]soon[.]it\r\np208[.]ige[.]es\r\nlu[.]ige[.]es\r\nupdateserver1[.]com\r\nupdateserver3[.]com\r\nupdatebox4[.]com\r\nbestupdateserver[.]com\r\nbestupdateserver2[.]com\r\nbestbox3[.]com\r\nsafehostline[.]com\r\nyouripinfo[.]com\r\nbestupser[.]awardspace[.]info\r\nbox4035[.]net\r\nbox4036[.]net\r\nbox4037[.]net\r\nbox4038[.]net\r\nbox4039[.]net\r\nbox4040[.]net\r\nbox4041[.]net\r\nbox4042[.]net\r\nbox4043[.]net\r\nbox4044[.]net\r\nbox4045[.]net\r\nbox4046[.]net\r\nbox4047[.]net\r\nbox4048[.]net\r\nbox4049[.]net\r\nbox4050[.]net\r\nbox4051[.]net\r\nbox4052[.]net\r\nhttps://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/\r\nPage 13 of 14\n\nbox4053[.]net\r\nbox4054[.]net\r\nbox4055[.]net\r\nbox4056[.]net\r\nbox4057[.]net\r\nbox4058[.]net\r\nbox4059[.]net\r\nbox4060[.]net\r\nbox4061[.]net\r\nbox4062[.]net\r\nbox4063[.]net\r\nbox4064[.]net\r\nbox4065[.]net\r\nbox4066[.]net\r\nbox4067[.]net\r\nbox4068[.]net\r\nbox4069[.]net\r\nbox4070[.]net\r\nbox4071[.]net\r\nbox4072[.]net\r\nbox4075[.]net\r\nbox4078[.]net\r\nbox4079[.]net\r\nbox4080[.]net\r\nbox4081[.]net\r\nbox4082[.]net\r\nbox4083[.]net\r\nbox4084[.]net\r\nbox4085[.]net\r\nbox4086[.]net\r\nbox4087[.]net\r\nbox4088[.]net\r\nbox4089[.]net\r\nbox4090[.]net\r\nSource: https://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/\r\nhttps://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/"
	],
	"report_names": [
		"unit42-prince-of-persia-game-over"
	],
	"threat_actors": [
		{
			"id": "f763fd1f-f697-40eb-a082-df6fd3d13cb1",
			"created_at": "2023-01-06T13:46:38.561288Z",
			"updated_at": "2026-04-10T02:00:03.024326Z",
			"deleted_at": null,
			"main_name": "Infy",
			"aliases": [
				"Operation Mermaid",
				"Prince of Persia",
				"Foudre"
			],
			"source_name": "MISPGALAXY:Infy",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "59c9f31b-e032-44b9-bf3b-4f2cb3d17e39",
			"created_at": "2022-10-25T16:07:23.734244Z",
			"updated_at": "2026-04-10T02:00:04.731031Z",
			"deleted_at": null,
			"main_name": "Infy",
			"aliases": [
				"APT-C-07",
				"Infy",
				"Operation Mermaid",
				"Prince of Persia"
			],
			"source_name": "ETDA:Infy",
			"tools": [
				"Foudre",
				"Infy",
				"Tonnerre"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775441591,
	"ts_updated_at": 1775792182,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fccbbc599f423cee3ff6e1db49597924ad96e8c1.pdf",
		"text": "https://archive.orkl.eu/fccbbc599f423cee3ff6e1db49597924ad96e8c1.txt",
		"img": "https://archive.orkl.eu/fccbbc599f423cee3ff6e1db49597924ad96e8c1.jpg"
	}
}