Iranian nation-state APT actors, known ominously as “Prince of Persia,” have re-emerged, launching a sophisticated cyberespionage campaign against global critical infrastructure and private networks. This group, active since the early 2000s, is now employing updated malware variants to infiltrate systems and pilfer sensitive intelligence. Their latest operations demonstrate a significant leap in technical proficiency, utilizing novel evasion tactics and decentralized command-and-control (C2) infrastructures to circumvent modern security measures.
The initial infection vector for this campaign primarily involves malicious Microsoft Excel files containing embedded executables, a strategic shift from their previous use of macro-enabled documents. These files are often disguised as legitimate administrative updates or regional news items to bypass standard antivirus detection engines. Once a victim interacts with the malicious file, the malware deploys a self-extracting archive that silently installs the Foudre backdoor, thereby gaining an initial foothold within the targeted network.
Technical Analysis of Infection and C2 Communication
SafeBreach analysts recently identified this renewed activity following a three-year period of dormancy by the “Prince of Persia” APT group. Their research highlights the group’s transition to more resilient operational security practices. The investigation revealed the deployment of distinct malware families, Foudre and Tonnerre, which have been updated with advanced capabilities for establishing persistence and exfiltrating data. The findings also suggest a human-operated management of the campaign’s infrastructure, linked to a specific persona identified as “Ehsan.”
The current Iranian nation-state APT campaign showcases remarkable technical sophistication, most notably in the deployment of Foudre v34 and Tonnerre v50. Foudre v34 utilizes a complex multi-stage loading process. A loader DLL, identified as Conf8830.dll, executes a specific exported function named f8qb1355. This function subsequently calls a disguised DLL file, d232, which is made to appear as an MP4 video file, aiming to deceive both end-users and automated security tools.
Upon successful execution, the malware establishes persistence within the compromised system and initiates communication with C2 servers using a dynamically generated domain name. The Domain Generation Algorithm (DGA) employed in this process is particularly distinctive, operating in two phases. The first phase calculates a CRC32 checksum based on a date-formatted string, for example, LOS1{}{}{}.format(date.year, date.month, weeknumber). The second phase then transforms this output into a unique eight-character hostname.
Furthermore, the Tonnerre v50 variant introduces an innovative redirection mechanism that leverages Telegram. Instead of relying on traditional FTP protocols for communication, this version of the malware communicates with a Telegram bot to receive commands. This approach offers an additional layer of obfuscation and resilience, making it more challenging for security analysts to track and intercept.
The C2 communication for Foudre v34 specifically relies on distinct HTTP GET requests to validate victim machines. The malware sends a unique identifier to the server in the following structured format: https://. This granular control over communication allows the threat actors to selectively upgrade or remove specific infections. Such precise management is critical for maintaining undetected operations and ensuring sustained access to high-value targets within critical infrastructure organizations and private networks.
The renewed activity of the “Prince of Persia” APT underscores the persistent and evolving threat posed by nation-state sponsored actors. Organizations operating in critical infrastructure sectors should remain vigilant and ensure their security measures are up-to-date to detect and mitigate such advanced cyber threats. Ongoing monitoring and threat intelligence sharing will be crucial in anticipating and countering future campaigns by this sophisticated Iranian nation-state APT.