THE Iranian threat group known as Infy (aka Prince of Persia) has evolved its tactics and is setting up new command-and-control infrastructure as the Iran internet blackout ends. According to SafeBreach, the threat actor stopped maintaining its C2 servers on 8 January for the first time since monitoring began, the same day a country-wide internet shutdown was imposed by Iranian authorities.
Observed renewed activity occurred on 26 January 2026, when the hackers established new C2 servers, one day before the government relaxed restrictions. The development is described as concrete evidence that the adversary is state-sponsored and backed by Iran. SafeBreach’s findings also note updates to Infy’s tradecraft, including newer versions of Foudre and Tonnerre, and the introduction of Tornado version 51 that can use HTTP and Telegram for C2.
The report highlights techniques such as a new DGA algorithm for C2 domains and references to a potential exploitation of a WinRAR flaw to deploy Tornado payloads.