Prince of Persia Maintains Persistent Iranian APT Operations Through Continuous Malware Evolution
Recent research confirms that the Iranian-aligned Prince of Persia threat actor never truly went dormant after 2022, but instead transitioned into a lower-visibility operational posture while continuing to evolve its tooling, infrastructure, and command-and-control tradecraft. SafeBreach’s longitudinal tracking shows the group maintaining parallel malware families, including multiple active variants of Foudre and Tonnerre, with overlapping but distinct DGA schemes and C2 architectures designed to complicate detection and attribution. The introduction of Tonnerre v50, the expansion to non-CRC32-based domain generation, and the reuse of long-lived infrastructure indicate deliberate investment in resiliency rather than opportunistic targeting. These developments reinforce Prince of Persia’s role as a sustained intelligence collection operation rather than a campaign-driven actor, with a clear emphasis on stealth, testing environments, and selective victim engagement. From an operational perspective, the group demonstrates a mature understanding of counterintelligence pressures, rapidly cycling C2 servers, pruning low-value infections, and separating attacker test systems from real victims to reduce exposure. The adoption of Telegram as a command-and-exfiltration channel marks a notable shift away from traditional protocols and suggests an effort to blend malicious traffic into widely used, trusted platforms. Victimology continues to align with historical Iranian strategic interests, including domestic targets, regional neighbors, and select international entities, underscoring long-term intelligence objectives rather than short-term disruption. These findings position Prince of Persia as an active and adaptable nation-state threat whose tooling diversity, infrastructure discipline, and persistence mechanisms warrant continued monitoring by defenders focused on Middle Eastern APT activity.
Android SMS Stealers Shift to Dropper-Led, Multi-Stage Campaigns
Group-IB research identifies a significant evolution in Android malware operations targeting users in Uzbekistan, marked by a transition from direct trojanized APK delivery to stealthy, multi-stage dropper-based infection chains. Threat actors now distribute applications that appear benign at install time and deploy encrypted SMS-stealing payloads locally, often without requiring network connectivity. These droppers minimize permission requests, rotate package names aggressively, and embed payloads in encrypted asset files that are unpacked only after runtime checks succeed. Combined with emulator detection, geolocation validation, and anti-debugging logic, this approach materially degrades the effectiveness of traditional static and sandbox-based defenses. The campaign ecosystem has matured operationally, with Telegram serving as the primary distribution and propagation channel, including the abuse of stolen Telegram sessions to automate lateral spread. The discovery of Wonderland is a step change in regional capability, introducing bidirectional C2 over WebSockets that enables real-time command execution, arbitrary USSD requests, SMS sending, and suppression of security notifications. Supporting infrastructure has become more resilient through distributed domain ownership and rapidly rotating network resources, limiting the impact of individual takedowns. These developments indicate a highly adaptive threat environment focused on persistence, automation, and financial fraud at scale, requiring defenders to prioritize early dropper detection, behavioral analytics, and coordinated intelligence-driven responses rather than relying solely on signature-based controls.
Scripted Sparrow Scales Automated Business Email Compromise Across Global Targets
Scripted Sparrow is a high-volume Business Email Compromise collective operating as a loose network of fraud actors distributed across multiple continents. The group specializes in invoice fraud campaigns that impersonate executive coaching and leadership consulting firms, targeting accounts payable personnel with carefully constructed spoofed email reply chains. Activity analysis indicates extensive automation, with templated messaging, scripted follow-ups, and large-scale domain and webmail usage enabling the group to send millions of targeted messages monthly. Operational data suggests that Scripted Sparrow blends registered domains, free webmail services, and compromised mailboxes to diversify its delivery infrastructure and evade detection. The group has demonstrated steady tactical refinement since mid-2024, evolving from generic lures to highly customized messages that reference specific executives and include staged approval narratives. Scripted Sparrow employs deliberate exposure control, frequently omitting payment details until a victim responds, reducing premature mule account burn. Infrastructure analysis reveals disciplined registrar selection, consistent document-generation tooling, Telegram-based coordination, and active use of geolocation spoofing and remote-access environments for operational security. Given the scale, automation, and continued adaptation observed, Scripted Sparrow represents a persistent financial fraud risk that requires strict payment verification workflows, independent out-of-band validation, and heightened scrutiny of external invoice communications regardless of apparent internal approval context.
