Iranian State-Linked Threat Activity and Related Supply-Chain/Developer Targeting Research
Multiple reports detail Iranian-linked espionage activity and tooling updates. SafeBreach described follow-on findings on the Iranian state-sponsored actor “Prince of Persia,” including at least three active variants of Foudre and Tonnerre malware, newly identified C2 infrastructure, and a Telegram-based data exfiltration channel; after publication, the actor rapidly rotated C2 servers and Telegram accounts, attempted to obscure victim-tracking artifacts, and appeared to attempt a retaliatory action against researchers that resembled prior attacks against open-source Python libraries.
Separately, Plone (a Python-based CMS) reported it prevented a supply-chain compromise after an attacker used a stolen developer GitHub personal access token to force-push whitespace-obfuscated malicious JavaScript into multiple repositories; the changes were detected before any official release, and GitHub assessed the payload was intended to compromise other developers (persistence via shell startup scripts, RCE, and theft of credentials/API keys/browser profiles/crypto wallet files). Additional Iranian activity was reported in an espionage campaign attributed to APT42 (IRGC-linked) using TAMECAT, a modular, largely in-memory PowerShell backdoor delivered after prolonged social engineering (e.g., WhatsApp rapport-building), with modules for browser data theft, screenshots, and file discovery; however, separate research on the Lazarus “Contagious Interview” campaign (fake job interviews and AnyDesk RAT backdoors) is unrelated to the Iranian-focused activity described elsewhere.
Timeline
Feb 4, 2026
SafeBreach discloses updated Prince of Persia tooling and IoCs
On 2026-02-04, SafeBreach published updated research describing newer Tornado/Tonnerre variants with HTTP and Telegram-based C2, new DGA and blockchain-based domain deobfuscation methods, suspected WinRAR 1-day exploitation, and links to ZZ Stealer and StormKitty activity. The report also released infrastructure details, Telegram artifacts, malware hashes, and other indicators of compromise.
Feb 4, 2026
Research links TAMECAT espionage campaign to APT42
Reporting published on 2026-02-04 attributed a targeted cyber-espionage campaign against senior defense and government officials to Iran-aligned APT42. The campaign used the modular fileless PowerShell backdoor TAMECAT, delivered through long-term social engineering and malicious links, with technical details on its loader, modules, and C2 methods disclosed.
Feb 4, 2026
Plone detects and blocks supply-chain compromise attempt
Before any official release was made, Plone discovered that a threat actor had force-pushed obfuscated malicious JavaScript into five repositories using a compromised developer GitHub personal access token. Plone removed the code and hardened repository protections, including disabling risky Git operations such as force pushes.
Jan 27, 2026
Iran internet blackout ends and Infy resumes operations
On 2026-01-27, the nationwide blackout ended and the actor resumed activity using refreshed infrastructure. SafeBreach linked the operational pause and restart to the Iranian regime's network restrictions.
Jan 25, 2026
Infy prepares new C2 infrastructure before blackout ends
On 2026-01-25 and 2026-01-26, SafeBreach observed the group preparing and standing up new C2 servers. The timing correctly anticipated the end of the internet blackout and was cited as evidence supporting state sponsorship.
Jan 8, 2026
Iran internet shutdown disrupts Infy operations
Starting on 2026-01-08, the group's activity paused as Iran's nationwide internet shutdown began. SafeBreach said the actor stopped maintaining its command-and-control infrastructure during the blackout.
Dec 19, 2025
Prince of Persia rotates Telegram identities and C2 infrastructure
Beginning on 2025-12-19, SafeBreach observed the actor replacing Telegram identities, rotating C2 servers and domains, and operating multiple active variants of its Foudre and Tonnerre malware. The changes appeared to be a response to public exposure and were accompanied by new evasion measures.
Dec 1, 2025
SafeBreach publishes initial Prince of Persia research
In December 2025, SafeBreach published Part I of its research on the Iranian threat actor known as Prince of Persia/Infy. The publication was followed by rapid changes in the actor's infrastructure and tradecraft.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Malware
Organizations
Sources
Related Stories
Iranian Threat Activity: RedKitten NGO Targeting and APT42 TAMECAT Credential Theft
Reporting describes two separate **Iran-linked espionage** efforts. HarfangLab detailed a campaign dubbed **RedKitten** targeting human-rights NGOs and individuals documenting abuses, using a lure delivered as a Farsi-named `7z` archive containing macro-enabled Excel (`.xlsm`) files. When victims enable the malicious VBA, it drops a C# implant (`AppVStreamingUX_Multi_User.dll`) via **AppDomainManager injection**; the operation uses **GitHub** and **Google Drive** for configuration/payload retrieval and **Telegram** for command-and-control, and researchers noted code characteristics consistent with **LLM-assisted** development. Separately, Pulsedive research (as summarized) attributed a PowerShell backdoor called **TAMECAT** to **APT42**, describing social-engineering via impersonated WhatsApp contacts and links abusing the `search-ms` URI handler, followed by VBScript-based staging and delivery mechanisms including WebDAV-hosted LNKs disguised as PDFs. TAMECAT was reported to steal credentials from **Microsoft Edge** and **Chrome**, establish persistence (e.g., logon scripts and registry run keys), and use multiple C2 channels (including **Telegram**, Discord, Firebase, and Cloudflare Workers). Other items in the set cover unrelated events: a supply-chain compromise of *eScan* antivirus update infrastructure distributing a backdoor, and Fortinet’s reporting on **Interlock** ransomware activity affecting primarily UK/US organizations (not Iran-linked).
1 months ago
Iran-Linked Cyber Activity Escalates Amid Middle East Conflict
Iran-nexus cyber activity intensified alongside regional military escalation, with multiple reporting streams describing both opportunistic and targeted operations. Check Point Research observed a coordinated campaign to compromise internet-connected **IP cameras** across Israel, the UAE, Qatar, Bahrain, Kuwait, Lebanon, and Cyprus, with spikes in exploitation attempts aligning to geopolitical events; activity was traced to infrastructure linked to Iran-nexus actors using commercial VPN exit nodes (e.g., *Mullvad*, *ProtonVPN*, *Surfshark*, *NordVPN*) and VPS infrastructure to mask origin, and the most targeted vendors were **Hikvision** and **Dahua**. Separately, Symantec reported **Seedworm** (*MuddyWater/Temp Zagros/Static Kitten*) activity on multiple U.S. and Canadian organizations beginning in February 2026, including a U.S. bank, airport, non-profit, and the Israeli operations of a U.S. software supplier to defense/aerospace; Symantec identified a previously unknown backdoor dubbed **Dindoor** (leveraging the *Deno* runtime) and a Python backdoor **Fakeset**, with malware signed using certificates issued to “**Amy Cherne**” (and in some cases “**Donald Gay**”), and noted attempted data exfiltration using **Rclone** to a *Wasabi* cloud storage bucket. Additional coverage indicates broader pro-Iranian cyber activity but is less specific to the above intrusions. ASEC’s weekly “Ransom & Dark Web Issues” roundup flags **pro-Iranian/pro-Islamist hacktivist** attacks against Middle Eastern and pro-Western targets, but provides limited technical detail in the excerpt. A podcast episode describing “Iran’s 12 days of cyber war” and global OT targeting (including *Unitronics* PLCs) is largely commentary and retrospective framing rather than a discrete, verifiable incident report, and two other items in the set (a Russia-linked **APT28** phishing/malware campaign in Ukraine and a China-nexus **UAT-9244** telecom intrusion set in South America) describe unrelated threat activity outside the Iran-focused escalation.
1 months ago
Multiple APT and malware campaigns abusing phishing, cloud services, and signed binaries
Reporting across multiple research teams described a surge of distinct, ongoing intrusion campaigns rather than a single unified incident. **Check Point** reported on **Silver Dragon**, a Chinese-aligned activity cluster assessed as operating under the broader **APT41** umbrella, targeting organizations in **Southeast Asia and Europe** (notably government) via exploitation of public-facing servers and phishing, then deploying **Cobalt Strike**, **DNS tunneling**, and a new Google Drive–based backdoor (**GearDoor**) alongside custom tools (**SSHcmd** and **SliverScreen**) for remote access and screen capture. **Microsoft** detailed separate February 2026 phishing campaigns by an unknown actor that used meeting/invoice-style lures and **EV code-signed** malware (certificate issued to **TrustConnect Software PTY LTD**) masquerading as common workplace apps (e.g., `msteams.exe`, `adobereader.exe`, `zoomworkspace.clientsetup.exe`) to install legitimate **RMM** tooling (**ScreenConnect**, **Tactical RMM**, **Mesh Agent**) for persistent access and lateral movement. Other reporting highlighted additional, unrelated campaigns and tradecraft: **ClearSky** described a Russian-aligned operation targeting **Ukraine** using a phishing-delivered ZIP/HTA chain that drops a .NET loader (**BadPaw**) and backdoor (**MeowMeow**) with **.NET Reactor** obfuscation, parameter-gated execution, and sandbox/tooling checks (with low-confidence linkage to **APT28**). **Cofense**-reported activity (via SC Media) showed phishing that weaponizes **Windows File Explorer + WebDAV** using URL/LNK shortcuts to pull payloads (notably **AsyncRAT**, **XWorm**, **DcRAT**) and infrastructure including **Cloudflare Tunnel** domains hosting WebDAV servers. **Cisco Talos**-reported **Dohdoor** activity (UAT-10027) targeted US **education and healthcare**, using PowerShell→batch→DLL sideloading via legitimate executables (e.g., `Fondue.exe`, `mblctr.exe`, `ScreenClippingHost.exe`) and **DNS-over-HTTPS** to Cloudflare for C2 discovery and tunneling. Separately, **Zscaler** reported **ScarCruft**’s *Ruby Jumper* campaign using **Zoho WorkDrive** for C2 and removable media components to reach air-gapped systems, while another Zscaler report analyzed **Dust Specter** targeting Iraqi government officials with password-protected RAR delivery and modular implants. **Qianxin XLab** assessed sanctioned infrastructure provider **Funnull** resurfacing to support scam/criminal supply chains and potential **MacCMS**-related supply-chain activity, and **F5 Labs** summarized **APT42**’s **TAMECAT** PowerShell backdoor focused on Edge/Chrome credential theft with C2 over Telegram/Discord/HTTPS and specific file/hash indicators. (A separate Help Net Security item on a Microsoft Defender onboarding tool is product/administrative news and not part of the threat-campaign reporting.)
1 months ago