Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
Prince of Persia, also known as Infy, Operation Mermaid, and APT-C-07, is among the longest-running Iranian advanced persistent threat groups with cyber-espionage operations traced back to 2007. Multiple assessments attribute the Prince of Persia APT group with high confidence to Iranian state sponsorship, acting in alignment with Iranian government interests targeting critical infrastructure, telecommunications, government entities, private sector organizations, and media outlets. The Prince of Persia threat actor’s early activity targeted victims in Iran and parts of Europe, establishing a foundation for long-term cyber-espionage campaigns. After several quiet years, Prince of Persia resurfaced in 2017 with a new malware family called Foudre, marking a renewed and more refined operational phase in the APT group’s capabilities. Prince of Persia campaigns rely on a two-stage malware architecture where initial access is typically achieved through phishing emails that deliver Foudre, a downloader and system profiler, which then deploys Tonnerre, a secondary implant designed to extract sensitive data from selected high-value systems. Multiple active variants of both Foudre and Tonnerre tools operate simultaneously, each using distinct domain generation algorithms to maintain resilient command-and-control infrastructure across several servers. Recent iterations of Prince of Persia malware show further evolution, with Tonnerre version 50 redirecting communications through a Telegram group controlled by a bot operator known as “Ehsan,” likely leveraging the Telegram API to issue commands and receive exfiltrated data. Prince of Persia has a history of politically motivated operations dating back to 2010 when the group compromised news websites linked to Jundallah, exploiting ActiveX vulnerabilities to infect site visitors, with activity intensifying around the 2013 Iranian presidential elections targeting Persian media outlets including BBC Persian. In the most recent Prince of Persia campaigns, the APT group has conducted covert cyber-espionage operations across Iran, Iraq, Turkey, India, Canada, and multiple European countries including Albania, Austria, Belgium, France, Germany, Italy, Netherlands, Poland, Spain, Sweden, Switzerland, and the United Kingdom, using updated versions of Foudre and Tonnerre malware with the latest Tonnerre variant detected in September 2025.
Prince of Persia, also known as Infy, is among the longest-running Iranian advanced persistent threat groups, with cyber-espionage operations traced back to 2007. Multiple security assessments attribute the Prince of Persia APT group with high confidence to Iranian state sponsorship, acting in alignment with Iranian government strategic interests across multiple geopolitical theaters.
The Prince of Persia group’s early activity targeted victims in Iran and parts of Europe, establishing a foundation for long-term cyber-espionage campaigns against dissidents, media organizations, and government entities. After several quiet years with minimal observable activity, Prince of Persia resurfaced in 2017 with a new malware family called Foudre, marking a renewed and more refined operational phase demonstrating significant improvements in the APT group’s technical capabilities and operational security.
Prince of Persia campaigns rely on a sophisticated two-stage malware architecture. Initial access is typically achieved through targeted phishing emails that deliver Foudre, a downloader and system profiler designed to establish initial footholds on victim systems. Foudre malware then selectively deploys Tonnerre, a secondary implant specifically designed to extract sensitive data from selected high-value systems that have been profiled and deemed worthy of deeper exploitation.
Multiple active variants of both Foudre and Tonnerre tools operate simultaneously in Prince of Persia campaigns, with each variant using distinct domain generation algorithms to maintain a resilient command-and-control infrastructure distributed across several servers. This redundancy and diversity in C2 infrastructure makes disruption of Prince of Persia operations significantly more challenging for defenders and demonstrates sophisticated operational planning.
Recent iterations of Prince of Persia malware show continued evolution in the APT group’s tactics. Tonnerre version 50 redirects communications through a Telegram group controlled by a bot operator assessed to be a key Prince of Persia actor known by the handle “Ehsan,” likely leveraging the Telegram API to issue commands and receive exfiltrated data while blending malicious traffic with legitimate platform usage to reduce detection.
This shift toward using legitimate platforms like Telegram reflects a broader Prince of Persia move toward blending malicious traffic with trusted communication services to reduce detection by network security tools. Prince of Persia has a documented history of politically motivated operations spanning nearly two decades. As early as 2010, the APT group compromised news websites linked to Jundallah, exploiting ActiveX vulnerabilities to infect site visitors with malware. Prince of Persia activity intensified around the 2013 Iranian presidential elections, with focused targeting of Persian media outlets including BBC Persian, followed by sustained attacks on Iranian civil society members and activists.
In its most recent Prince of Persia campaigns, the APT group has conducted covert cyber-espionage operations across Iran, Iraq, Turkey, India, Canada, and several European countries spanning the continent. These attacks used updated versions of Foudre and Tonnerre malware, with the latest Tonnerre variant detected in September 2025. Prince of Persia delivery techniques have also evolved, replacing traditional macro-based Excel documents with files embedding executables to install Foudre, reinforcing the APT group’s continued adaptation and operational persistence in the face of improved security defenses.
Harden Email and Document-Based Entry Points: Prince of Persia primarily gains initial access through phishing emails and weaponized Office documents delivering Foudre malware. Enforce strict email filtering policies, block embedded executables in email attachments, restrict document macro execution, and implement attachment sandboxing solutions. These controls directly reduce the success of Foudre-based delivery and initial compromise attempts by the Prince of Persia APT group.
Implement Network Segmentation and Robust Access Controls: Isolate critical infrastructure and sensitive data repositories from general user networks using comprehensive network segmentation strategies. Enforce strict access control lists (ACLs) to regulate traffic flow between network segments, minimizing the potential for lateral movement following Prince of Persia Foudre malware infections and limiting the scope of Tonnerre data exfiltration operations.
Detect and Disrupt Command-and-Control Infrastructure: Monitor network traffic for domain generation algorithm-based DNS activity, anomalous outbound traffic patterns, and suspicious use of messaging platforms such as Telegram that Prince of Persia leverages for C2. Focus detection efforts on identifying abnormal DNS query patterns, unexpected Telegram API usage, and unauthorized external connections to disrupt Prince of Persia command-and-control communication and limit both persistence mechanisms and data exfiltration capabilities.
Resource Development:
Reconnaissance:
Initial Access:
Execution:
Persistence:
Defense Evasion:
Credential Access:
Discovery:
Collection:
Command and Control:
Exfiltration:
Impact:
Get through updates and upcoming events, and more directly in your inbox