Telegram, Backdoors, and the Shadow War: How Iranian Hackers Are Hijacking Global Infrastructure

In the murky world of cyber-espionage, old adversaries rarely fade away - they adapt, regroup, and strike with renewed force. This is exactly what researchers have uncovered in the latest wave of attacks attributed to the Iranian “Prince of Persia” advanced persistent threat (APT) group. After a quiet three-year hiatus, this shadowy collective has reemerged in 2025, wielding more sophisticated tools and targeting vital infrastructure across the globe.

The Comeback: APTs Never Sleep

First identified in 2016, the “Prince of Persia” group - also known as “Infy” - has long been linked to Iranian state interests, specializing in espionage against governments, dissidents, and essential infrastructure. SafeBreach Labs’ recent investigation reveals the group is back, operating under deeper cover and with upgraded digital weaponry.

Malware Evolution: Foudre and Tonnerre

The attackers’ toolkit now includes three major malware strains. Foudre v34, the latest iteration of a trusted backdoor, infiltrates systems via booby-trapped Microsoft Excel files. Once opened, these files unleash a DLL loader - Conf8830.dll - and a disguised archive, embedding itself deep in the victim’s machine.

The malware uses advanced Domain Generation Algorithms (DGAs), which rapidly create new web addresses for its command-and-control (C2) traffic, making it tough for defenders to block or trace. Each malware variant runs its own DGA, generating domains with unique character patterns and prefixes, essentially giving the attackers a rotating set of digital safehouses.

Telegram: The New Cyber Command Center

The most notable leap in tactics is seen in Tonnerre v50. For the first time, the group is employing Telegram bots - specifically “ttestro1bot” - to relay stolen data and receive commands. By routing traffic through Telegram, a popular encrypted messaging platform, the hackers add another layer of anonymity and resilience, sidestepping traditional network defenses.

Researchers tracked the group’s infrastructure to European servers, with evidence linking back to Iranian operators, including a Persian-speaking user named “Ehsan.” Despite attempts at digital erasure, investigators managed to recover stolen files and map out the sprawling C2 ecosystem.

What’s at Stake?

The renewed activity of Prince of Persia is a stark reminder: the cyber battlefield is ever-evolving. By combining encrypted delivery, complex DGAs, and social media platforms, these state-sponsored actors are sharpening their tools - and raising the stakes for governments and industries worldwide.

Reflections

As the boundaries between traditional espionage and cyberwarfare blur, vigilance is essential. The latest Prince of Persia campaign underscores a chilling reality: the next critical infrastructure breach may already be lurking behind an innocuous spreadsheet or a harmless-looking chat app.

WIKICROOK

• APT (Advanced Persistent Threat): An Advanced Persistent Threat (APT) is a long-term, targeted cyberattack by skilled groups, often state-backed, aiming to steal data or disrupt operations.
• Backdoor: A backdoor is a hidden way to access a computer or server, bypassing normal security checks, often used by attackers to gain secret control.
• Domain Generation Algorithm (DGA): A DGA creates many domains for malware to contact C2 servers, helping attackers evade detection and takedown efforts.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
• DLL Loader: A DLL Loader loads Dynamic Link Libraries into memory, a process often exploited by malware to execute harmful code or evade security measures.