ATLA WIRE

Iranian Infy APT Resurfaces with New Malware Activity After Years of Silence

24.12.2025
4349
Iranian Infy APT Resurfaces with New Malware Activity After Years of Silence
The Iranian advanced persistent threat (APT) group Infy has broken its years-long silence with fresh malware campaigns, deploying updated versions of its Foudre and Tonnerre malware families.

Infy's Back — And They've Been Busy

After ghosting the cyber scene for years, the Iranian APT crew Infy just dropped back in with a whole new bag of tricks. They're rolling out updated versions of their signature malware — Foudre and Tonnerre — and they're not playing around.
This isn't some low-effort comeback. Infy's infrastructure is now global, resilient, and built to last. They're using phishing emails as their delivery method of choice, targeting specific orgs with surgical precision.

The Malware Arsenal: Foudre & Tonnerre 2.0

Foudre (French for 'lightning') is their info-stealer — it's been upgraded to snatch credentials, browser data, and system intel. Tonnerre ('thunder') is the backdoor, now with enhanced C2 communication and evasion capabilities.
Both tools use strong encryption and are designed to fly under the radar. They're not just rehashing old code — this is a legit refresh with new capabilities.

Global Infrastructure & Phishing Game

Infy's command-and-control (C2) servers are now scattered worldwide, making takedowns way harder. They're using compromised legitimate sites and bulletproof hosting to stay online.
The phishing emails are crafted to look legit, often impersonating known entities or using current events as lures. Once you click, the malware deploys silently.

Why This Matters

Infy's return signals that state-backed Iranian threat actors are still in the game, evolving their tools and tactics. This isn't amateur hour — it's professional-grade cyber espionage with clear strategic goals.
Organizations in sectors like government, defense, and critical infrastructure need to be on high alert. These campaigns are targeted, not spray-and-pray.
  • Infy APT group is back after years of inactivity
  • Deploying updated Foudre and Tonnerre malware families
  • Using phishing emails for initial access
  • Global, resilient C2 infrastructure
  • Strong encryption and evasion techniques
  • Targeted campaigns against specific organizations
  • State-backed Iranian cyber espionage operation
#APT groups#malware#cyber espionage#phishing
Got a topic? Write to ATLA WIRE on Telegram:t.me/atla_community
Banner | ATLA WIRE