Threat Actor Profile: Infy  

Overview 

Infy is a state-sponsored advanced persistent threat (APT) group assessed to be of Iranian origin, with activity patterns and targeting that strongly suggest alignment with Iranian state interests. The group has been active since at least 2015, with its operations becoming publicly identifiable by 2016. Infy is also tracked under several alternative designations, including Prince of Persia, APT-C-07, and Operation Mermaid. 

Since its emergence, Infy has demonstrated a clear focus on cyber espionage, particularly against human rights activists, dissident communities, and government-related entities. While its activity levels have fluctuated, the group has shown persistence, continued tooling development, and a sustained interest in Iranian civil society targets even after periods of reduced operational tempo. 

Historical Context and Activity Timeline 

Infy’s earliest known campaigns date back to 2015, when the group began targeting Iranian human rights activists using early iterations of its custom malware.  

Activity intensified significantly in early 2016, coinciding with Iran’s February 2016 parliamentary elections. During this period, Infy conducted a concentrated set of operations aimed at surveillance, information theft, and monitoring of individuals perceived as politically sensitive or oppositional to the regime. 

Following the 2016 elections, Infy’s observable activity declined but did not cease. Telemetry data and continued detection of infrastructure and malware variants indicate that the group maintained ongoing, low-volume attack attempts against Iranian civil society and related targets.  

Geographic Origin and Targeting Scope 

Infy is assessed to operate from Iran, within the broader Middle East and Africa (MEA) region.  

However, its target is globally scope. Confirmed or reported victim countries include the following countries. 

• Azerbaijan 

• Bahrain 

• Canada 

• China 

• Denmark 

• France 

• Germany 

• India 

• Iran 

• Iraq 

• Israel 

• Italy 

• Netherlands 

• Romania 

• Russia 

• Saudi Arabia 

• Sweden 

• Syria 

• Turkey 

• The United Kingdom 

• The United States. 

The diversity of targeted countries suggests that Infy’s operations extend beyond pure domestic surveillance and include intelligence collection against foreign governments, international organizations, and diaspora communities. 

Targeted Sectors 

Infy’s operations primarily focus on: 

• Government entities 

• Law enforcement agencies (LEA) 

• Civil society organizations 

• Human rights activists and advocacy groups 

This targeting profile reinforces the assessment that Infy’s mission centers on political surveillance and intelligence collection, rather than financial crime or disruptive cyber operations. 

Malware Arsenal and Tooling Overview 

Infy’s operations rely on a limited but purpose-built malware ecosystem, consisting of two primary malware families.  

Despite the relatively small number of tools, the group has demonstrated iterative development, modular design, and increasing technical sophistication over time. 

Malware Families Used by Infy  

Infy (Reconnaissance Agent) 

The Infy malware family is primarily used for initial reconnaissance and system profiling. Early versions exhibited design flaws that allowed researchers to track infections through telemetry data, contributing to the group’s exposure. Despite these shortcomings, the malware enabled the collection of host information and served as a foundation for subsequent tooling evolution. 

Tonnerre (Backdoor and Surveillance Tool) 

Tonnerre represents Infy’s more advanced and multifunctional malware family. It is a Delphi-based backdoor composed of five distinct forms, each responsible for a specific operational capability: 

1. Installation and upgrade mechanisms, enabling persistence and malware lifecycle management. 

2. File collection modules, targeting predefined directories for data harvesting. 

3. FTP-based communication, allowing command retrieval and data exfiltration. 

4. Removable media harvesting, enabling the collection of files from external storage devices. 

5. Audio recording functionality, using the lame command-line tool to capture sound for surveillance purposes. 

Evolution of Tooling and Tradecraft 

Over time, Infy’s tooling evolved from basic document-delivered implants into multi-stage malware frameworks incorporating: 

• Custom loaders 

• Domain Generation Algorithms (DGAs) 

• Layered command-and-control (C2) architectures 

• Adaptive data exfiltration mechanisms 

This progression reflects a deliberate effort to enhance operational resilience, evade detection, and maintain persistent access to high-value targets. 

More recent activity has prominently featured the Foudre malware family, particularly its later variants. Foudre is typically delivered via malicious Microsoft Excel documents containing embedded self-extracting executables. These lures are specifically designed to bypass traditional macro-based detection mechanisms and rely on user execution rather than automatic macro triggers. 

Infection Chain and Command-and-Control Architecture 

Once executed, Foudre initiates communication with attacker-controlled infrastructure using structured HTTP GET requests. These requests transmit detailed host metadata, including: 

• Unique system identifiers 

• Usernames 

• Hostnames 

• Internal malware versioning values 

This information allows operators to inventory infected systems, assess victim relevance, and determine appropriate follow-on actions. 

Foudre’s command-and-control infrastructure is notably organized. Distinct server-side directories are used for: 

• Host validation 

• Command retrieval 

• Data exfiltration 

In multiple observed cases, directory naming conventions suggest victim segmentation, including language-specific paths. This implies that infected systems are categorized based on geographic or linguistic attributes, indicating active human operator oversight rather than indiscriminate automation. Such a structure strongly supports the assessment that Infy’s campaigns are intelligence-driven, with selective targeting and tasking. 

Secondary Payload Deployment and Persistence 

After establishing initial access via Foudre, Infy frequently deploys Tonnerre as a secondary payload to expand functionality and persistence. While Tonnerre shares architectural similarities with Foudre, it introduces its own domain generation logic and command-handling routines. 

The use of DGAs allows the malware to dynamically generate large numbers of candidate domains for command-and-control communication. This capability complicates network-based blocking, enables rapid infrastructure rotation, and reduces reliance on static indicators. The generated domains are often short-lived and distributed across multiple hosting environments, further degrading the effectiveness of signature-based defenses. 

Command-and-Control Channels 

Infy’s malware has leveraged multiple communication mechanisms over time, including web-based protocols and modern platforms such as Telegram for command-and-control. The use of widely adopted services enables the group to blend malicious traffic into normal network activity, reducing the likelihood of detection through conventional filtering. 

Exfiltration is commonly conducted over existing C2 channels, with stolen data encoded into standard command-and-control communications rather than using separate data transfer mechanisms. 

Infy’s Observed Tradecraft 

Infy’s operations rely on a combination of stealthy and adaptive techniques. The group exploits built-in system functions to execute processes and carry out tasks while also using malicious documents or executables delivered through phishing to gain access.  

They gather detailed information about systems and configurations to plan follow-on actions and exfiltrate sensitive data through established communication channels. To avoid detection, Infy blends its communications with normal web traffic and frequently changes the domains it uses to control compromised systems, making its operations difficult to block or disrupt. 

Conclusion 

Infy is a state-aligned espionage actor focused on political surveillance, using a small but precise malware toolkit, structured infrastructure, and evolving tradecraft to sustain deliberate campaigns against Iranian civil society and sensitive organizations; Cyble’s AI-powered monitoring highlights Infy as a persistent, technically advanced cyber threat, and organizations can strengthen their cyber resilience by leveraging Cyble’s real-time threat intelligence and dark web visibility.  

Book a free demo today or check out how our external threat assessment report maps out against your stack! 

Recommendation and Mitigation Strategies 

• Enhance Phishing Defenses: Implement advanced email filtering, user awareness training, and simulated phishing exercises to reduce the risk of initial malware delivery. 

• Monitor for Unusual System Behavior: Use endpoint detection tools to flag abnormal process execution, unauthorized data access, and unexpected network communications. 

• Segment Critical Systems: Isolate sensitive assets and civil society-related systems from general networks to limit lateral movement in case of compromise. 

• Track External Dependencies: Maintain visibility into third-party services, cloud platforms, and communication channels that could be exploited for command-and-control or data exfiltration. 

• Deploy Threat Intelligence: Integrate real-time monitoring of malware campaigns, emerging threat actors, and dark web activity, leveraging AI-powered platforms like Cyble for proactive detection. 

• Maintain Backup and Recovery Plans: Regularly test offline and secure backups, and document restoration sequencing to ensure business continuity in prolonged incidents. 

• Enforce Multi-Factor Authentication and Identity Controls: Protect access to critical systems and cloud accounts to prevent attackers from leveraging stolen credentials. 

MITRE ATT&CK Techniques Associated with Infy 

• Native API Execution (T1106): Infy abuses built-in operating system interfaces to execute processes, interact with low-level system services, and carry out actions while blending into normal system activity and avoiding detection. 

• Malicious File Execution (T1204.002): The group relies on social engineering to trick victims into opening malicious documents or executables, often delivered via phishing emails or placed where users are likely to interact with them. 

• System Information Discovery (T1082): Infy collects detailed information about operating systems, hardware, and configurations to assess victim environments and tailor follow-on actions. 

• Exfiltration Over Command-and-Control Channel (T1041): Stolen data is transmitted through existing command-and-control communications, allowing exfiltration to occur without establishing separate data transfer channels. 

• Web-Based Command and Control (T1071.001): The group uses common web protocols to blend malicious communications with legitimate network traffic and evade network-based detection. 

• Domain Generation Algorithms (T1568.002): Infy dynamically generates command-and-control domains to rotate infrastructure, evade blocking, and maintain resilient access to compromised systems. 

Disclaimer: This profile is based on OSINT, Cyble research, and external sources. Cyble is not responsible for the accuracy of the data or any misuse of the information presented.