Infy is an Iran-aligned espionage actor that quietly maintained and expanded operations over nearly two decades, resurfacing with refreshed malware, resilient infrastructure, and broader geographic reach through late 2025. The group favors disciplined, low-noise campaigns, using targeted document-based lures, staged victim profiling, and frequent infrastructure rotation, to secure long-term access to government, diplomatic, civil society, and critical-infrastructure–adjacent targets aligned with Iranian intelligence priorities.

CYBER INSIGHTS CYBER INSIGHTS JAN 07, 2026 JAN 07, 2026

Overview

Infy, also tracked as “Prince of Persia,” is a long-running Iran-aligned espionage threat actor that has targeted government entities, critical infrastructure-adjacent organizations, and individuals of intelligence interest for nearly two decades. Public reporting first brought wider attention to the group in the mid-2010s; however, newer research indicates the actor continued operating during periods where it appeared quiet, suggesting deliberate operational security and disciplined campaign management. The actor’s activity is notable for its persistence, selective targeting, and willingness to iterate on tooling and infrastructure to sustain access over time. Recent observations confirm continued operations through at least December 2025, reinforcing that this is not a historical threat but a current one with active tradecraft evolution. The group’s campaigns have demonstrated a broad geographic reach spanning Iran and multiple countries in Europe, as well as parts of the Middle East, South Asia, and North America. The key takeaway is continuity: the actor did not disappear but adapted and maintained momentum while reducing external visibility. Recent campaign observations signal renewed confidence and expand operational scale compared to what was previously understood.

Key Findings:

  • Infy’s operational footprint over the last several years appears materially larger than earlier reporting suggested, including multiple overlapping campaigns rather than isolated activity bursts.
  • The actor maintains a structured, multi-component malware ecosystem that supports victim profiling, selective follow-on activity against higher-value targets, and long-term collection priorities aligned with intelligence gathering.
  • Infrastructure observations indicate frequent rotation and parallelization, consistent with an actor that plans for disruption and prioritizes survivability of operations across time and geography.
  • The group has incorporated modern, low-friction communication channels into its operations, indicating an intent to improve reliability and responsiveness while blending into common enterprise traffic patterns.
  • Immediate Actions: Prioritize internal scoping for potential exposure by identifying business units, roles, and geographies that align with the actor’s historic targeting patterns and ensure incident response pathways are ready for rapid triage if related activity is discovered.

1.0 Threat Overview

Infy, publicly tracked as Prince of Persia, was first widely documented in the mid-2010s, though retrospective analysis later established activity dating back to at least 2004–2007. Early campaigns demonstrated a clear emphasis on espionage objectives, with targets primarily consisting of Iranian dissidents, media organizations, government entities, and diplomatic personnel. Unlike financially motivated actors, Infy showed little interest in monetization, instead focusing on long-term access, surveillance, and intelligence collection. This targeting profile, combined with infrastructure and operational characteristics, strongly aligned the group with Iranian state interests from its earliest observed operations.

In 2016, public exposure and subsequent infrastructure disruption significantly impacted Infy’s active campaigns, temporarily reducing visibility into its operations. However, follow-on research in subsequent years showed the group resurfaced with reworked malware families and improved operational discipline, suggesting an ability to absorb setbacks and adapt rather than abandon activity. The period between 2017 and 2021 was marked by steady technical iteration, expanded tooling, and experimentation with multiple infection vectors, reinforcing the assessment of a well-resourced and strategically guided actor. After 2022, Infy appeared to go quiet from a public reporting perspective, leading to assumptions that the group had either deprioritized operations or dissolved. Recent longitudinal research contradicts this view, showing that the actor continued operating under reduced visibility while refining infrastructure and tooling. By 2024–2025, observable activity again increased, revealing a threat actor that had used the intervening years to mature its tradecraft and prepare for sustained future operations rather than disengaging entirely.

2.0 Threat Actor Breakdown

Infy, widely known as the “Prince of Persia,” is one of the longest-running Iranian-aligned cyber espionage operations observed to date. The actor’s operational history spans nearly two decades, during which it has consistently aligned with Iranian intelligence priorities, preferred targeted access over scale, and demonstrated a disciplined approach to campaign management. Unlike opportunistic or financially motivated groups, Infy’s activity reflects strategic patience, with tooling and infrastructure built to support surveillance, profiling, and selective exploitation of high-interest targets.

The group’s campaigns clearly emphasize continuity. Even after periods of public exposure and infrastructure disruption, Infy has repeatedly re-emerged with refined tradecraft rather than abandoning operations. This pattern suggests centralized direction, institutional knowledge retention, and resourcing sufficient to sustain long-term development cycles. Observed behaviors, including careful victim vetting, active removal of low-value infections, and parallel testing infrastructure, further indicate an actor that prioritizes operational security and intelligence value.

Recent activity through late 2025 reinforces assessments that Infy remains an active and evolving threat. New campaign waves, updated malware families, and expanded communication mechanisms point to renewed confidence and operational scale. The group’s ability to operate quietly for extended periods while continuing to modernize its capabilities places it among the more persistent and strategically relevant Iranian cyber espionage actors currently tracked.

Iran-Aligned Threat Actor Profile
Emergence Date
Timeline
Activity assessed as early as 2004–2007, with continuous development observed across multiple operational phases.
2004-2007 Origins Continuous Development Multiple Operational Phases Long-Running Campaign
Attribution
Assessment
Strongly assessed as Iran-aligned, based on targeting patterns, infrastructure, language artifacts, and long-term strategic alignment.
Iran-Aligned Targeting Patterns Infrastructure Analysis Language Artifacts Strategic Alignment
Associated Malware
Malware Families
Infy (early variants), Foudre (multiple versions), Tonnerre (multiple versions), MaxPinner, Deep Freeze, Amaq News Finder, Rugissement.
Infy Foudre Tonnerre MaxPinner Deep Freeze Amaq News Finder Rugissement
Targets
Target Profile
Government entities, diplomatic organizations, civil society, media, political dissidents, and select foreign government and industry targets.
Government Entities Diplomatic Organizations Civil Society Media Political Dissidents Foreign Government Industry Targets
Common Tactics
Tactical Approach
Targeted social engineering, staged malware deployment, selective victim escalation, infrastructure rotation, operational cleanup of low-value access.
Targeted Social Engineering Staged Deployment Selective Escalation Infrastructure Rotation Operational Cleanup
Recent Activities
Current Operations
Confirmed operational activity through December 2025, including refreshed malware families, redesigned infrastructure, and expanded campaign scope.
Active Through Dec 2025 Refreshed Malware Redesigned Infrastructure Expanded Scope Ongoing Operations

3.0 Tradecraft Overview and Targeting Strategy

Operational Philosophy: Infy follows a disciplined, intelligence-driven operational model focused on discretion and long-term access rather than speed or volume. The actor uses a staged intrusion approach, first establishing limited footholds to assess victim relevance before committing additional resources. Only systems deemed strategically valuable receive follow-on tooling, indicating consistent human oversight and selective escalation. This model reduces operational noise, limits exposure, and enables sustained espionage campaigns over extended periods.

Iran-Aligned Threat Actor Operational Methodology
Initial Access and Delivery Approach
Relies primarily on social engineering rather than technical exploitation.
Uses document-based lures tailored to the target's language, region, and professional role.
Embeds malicious content within legitimate-looking files to increase execution success and reduce suspicion.
Assumes user interaction within routine workflows rather than exploitation of rare vulnerabilities.
Social Engineering Document-Based Lures Tailored Content Legitimate-Looking Files User Interaction Routine Workflows
Infrastructure and Campaign Management
Employs frequent infrastructure rotation and parallel command-and-control usage to preserve continuity.
Demonstrates advanced planning for resilience through domain naming and hosting decisions.
Separates development, testing, and operational infrastructure to contain exposure.
Actively removes low-value or obsolete infections to minimize forensic artifacts and defensive visibility.
Infrastructure Rotation Parallel C2 Advanced Planning Separated Infrastructure Infection Cleanup Resilience
Stealth and Longevity
Prioritizes quiet collection and persistence over aggressive or disruptive actions.
Introduces tooling changes incrementally to preserve compatibility with historical infrastructure.
Optimizes for long dwell time and reduced scrutiny rather than rapid objective completion.
Quiet Collection Persistent Operations Incremental Changes Long Dwell Time Reduced Scrutiny Non-Disruptive
Targeting Profile
Focuses on environments providing access to sensitive communications, policy discussions, and strategic insight.
Targets primarily Microsoft Windows environments, with Microsoft Office as a common entry point.
Victims frequently include government entities, civil society, media, and critical infrastructure-adjacent organizations.
High-trust and high-visibility roles are prioritized due to their access and influence.
Geographic targeting aligns strongly with Iranian domestic interests, with consistent spillover into Europe, the Middle East, South Asia, and North America.
Sensitive Communications Policy Discussions Windows Environments Microsoft Office Government Civil Society Media Critical Infrastructure High-Trust Roles
Conditions for Success
Infy's operations depend on exploiting trust, routine behavior, and time rather than technical weakness.
Campaigns assume credible content delivery, trusted communication channels, and standard enterprise configurations that favor stability.
Environments tolerant of low-and-slow activity provide the actor sufficient dwell time to evaluate intelligence value and selectively escalate.
Systems lacking strategic relevance are deprioritized or removed entirely, reinforcing an operational philosophy centered on precision, patience, and sustained intelligence collection.
Trust Exploitation Routine Behavior Credible Content Trusted Channels Low-and-Slow Selective Escalation Precision Targeting Patience

4.0 Historical Exploit Timeline

Iran-Aligned Threat Actor Operational Timeline
2004–2007
Activity Summary
Earliest assessed activity attributed to Infy, using bespoke malware and targeted delivery against select victims.
Operational Significance
Establishes long-term presence and early investment in custom tooling.
Infy Attribution Bespoke Malware Targeted Delivery Long-Term Presence Custom Tooling
2010–2013
Activity Summary
Expansion of campaigns against civil society, media, and politically relevant targets.
Operational Significance
Confirms intelligence-driven targeting and regional focus.
Campaign Expansion Civil Society Media Targeting Political Targets Intelligence-Driven Regional Focus
2015–2016
Activity Summary
Public exposure and infrastructure disruption by security researchers.
Operational Significance
Forces adaptation; reveals state-aligned resilience rather than disengagement.
Public Exposure Infrastructure Disruption Forced Adaptation State-Aligned Resilience
2017–2018
Activity Summary
Introduction of newer malware families and staged infection workflows.
Operational Significance
Marks a shift toward more structured, modular operations.
New Malware Families Staged Workflows Structured Operations Modular Approach
2019–2021
Activity Summary
Continued tooling refinement, experimentation with multiple variants and loaders.
Operational Significance
Demonstrates active development and testing cadence.
Tooling Refinement Multiple Variants Loader Experimentation Active Development Testing Cadence
2022
Activity Summary
Apparent reduction in public visibility following prior disclosures.
Operational Significance
Indicates a deliberate move toward lower-noise operations.
Reduced Visibility Post-Disclosure Adaptation Lower-Noise Operations Deliberate Strategy
2023–2024
Activity Summary
Ongoing but under-the-radar activity with infrastructure rotation and testing.
Operational Significance
Shows continuity despite limited external reporting.
Under-the-Radar Infrastructure Rotation Testing Activity Operational Continuity Limited Reporting
2025 (Sep–Dec)
Activity Summary
Confirmed resurgence with refreshed malware, redesigned infrastructure, and expanded campaigns.
Operational Significance
Signals renewed operational confidence and increased scale.
Confirmed Resurgence Refreshed Malware Redesigned Infrastructure Expanded Campaigns Renewed Confidence Increased Scale

5.0 Risk and Impact

Infy poses a sustained intelligence risk to organizations and individuals aligned with governmental, diplomatic, and politically sensitive functions. The actor’s focus on long-term access and selective targeting increases the likelihood of prolonged, undetected compromise rather than immediate, disruptive outcomes. Successful operations enable the quiet collection of sensitive communications, strategic intent, and contextual insight that can inform broader state objectives over time. The cumulative impact is not limited to individual victims but extends to institutional trust, policy confidentiality, and the strategic advantage gained through persistent visibility into decision-making environments. Over time, this access can influence negotiation positions, policy formulation, and strategic planning without overt signals of compromise.

6.0 Recommendations for Mitigation

  • Targeted Document-Based Initial Access: Watch for spearphishing campaigns using contextually relevant Microsoft Office documents, particularly Excel files, that rely on user interaction rather than exploits to gain an initial foothold.
  • Staged Victim Profiling Behavior: Look for early-stage activity that gathers system, user, and environment details without immediate follow-on actions, indicating assessment of a system’s intelligence value.
  • Execution-to-Communication Correlation: Correlate user-initiated document execution with delayed external communications occurring days or weeks later to surface selective escalation and human-driven targeting.
  • DGA Pattern Analytics: Detect recurring, structured domain access patterns across hosts and time, even when individual DNS events appear isolated or low risk.
  • Operational Cleanup Indicators: Identify deliberate malware removal, access withdrawal, or process termination on low-value systems, which often signals an espionage actor attempting to minimize exposure rather than an unsuccessful intrusion.

7.0 Hunter Insights

Infy is poised to remain a persistent Iranian espionage fixture over the next several years, with recent reporting indicating not a revival but a maturation of a nearly two‑decade campaign that now operates at a greater scale and geographic reach than previously understood. Continuous tooling upgrades, Telegram-enabled command-and-control, and aggressive infrastructure rotation suggest that future operations will emphasize quiet, long-dwell access to government, diplomatic, civil society, and critical‑infrastructure–adjacent networks, with selective targeting and deliberate cleanup of low‑value hosts, keeping detection opportunities narrow.​

Looking forward, Infy will likely deepen its focus on document-driven spearphishing, staged victim profiling, and DGA-backed domain infrastructure to evade static controls while expanding beyond dissident communities into higher-value government and policy environments in Europe, the Middle East, South Asia, and North America. Organizations fitting this profile should expect more low-noise campaigns in which the primary indicators are subtle: carefully crafted lures in local languages, delayed C2 after user execution, and periodic malware withdrawals that mask long-term intelligence collection, making high-fidelity spearphish detection, execution-to-network correlation, and DGA analytics critical to disrupting future Infy activity.

💡
Hunter Strategy encourages our readers to look for updates in our daily Trending Topics and on Twitter.