Iranian APT Group Prince of Persia Resurfaces with New Malware and Telegram Bots

The Iranian state-sponsored APT group known as Prince of Persia (or Infy) has resurfaced, according to a report by cybersecurity firm SafeBreach. This group has been observed employing new tactics, including the use of Telegram bots and custom malware named Thunder and Lightning to target victims in Europe, India, and Canada. While the report does not specify exact dates of the campaign's resurgence or provide details on concrete impacts such as data exfiltration or operational disruption, the evolution in tools and methods signifies a notable shift in the group's operational capabilities.

Technically, the use of Telegram bots for command and control (C2) purposes is a growing trend among APT groups. Telegram's widespread use and encryption features make it an attractive platform for threat actors seeking to evade detection. The deployment of custom malware like Thunder and Lightning suggests that Prince of Persia is enhancing its toolset, potentially to improve persistence, evasion, or data collection capabilities. However, the specific functionalities of these malwares are not detailed in the report.

The geographical spread of targets—spanning Europe, India, and Canada—indicates a broad strategic interest, likely aligned with Iran's geopolitical objectives. For cybersecurity professionals, this development underscores the importance of monitoring for anomalous activity on platforms like Telegram and employing behavioral analysis to detect custom malware that may evade traditional signature-based defenses.

The re-emergence of Prince of Persia with updated tools highlights the continuous evolution of state-sponsored threat groups. Organizations, particularly those in government, critical infrastructure, and strategic sectors, should prioritize threat intelligence sharing and adaptive defense strategies to mitigate risks associated with such advanced threats.