Prince of Persia ran a covert Iranian spy campaign for over a decade

Published: 22 December 2025
Prince of Persia threat actor

For nearly two decades, an Iran-backed hacking group, once thought to have faded away, has quietly evolved, research reveals.

The Iran-backed hacking group, known as Prince of Persia, has quietly operated since 2007, targeting governments, critical infrastructure, and dissidents of the Iranian regime.

According to new research by cybersecurity firm SafeBreach Labs, the threat actor has been using increasingly sophisticated malware to attack victims globally.

ADVERTISEMENT

The findings, published in December 2025, have brought new evidence to light, showing that the group has not vanished as anticipated.

In fact, the evidence suggests it remained active, dramatically expanding its toolkit and operational reach despite several years without public detection.

Prince of Persia threat actor activity
Source: SafeBreach

Presence for more than a decade

Researchers trace Prince of Persia back to at least 2007, with evidence showing early operations that targeted Iranian networks and European institutions.

The group first came to worldwide attention when Palo Alto Networks’ threat intelligence team uncovered its activity in the mid-2010s. Around that time, the group was involved in “Operation Mermaid,” a campaign targeting Danish diplomats.

After the report was released, Unit 42 carried out a takedown operation that provided researchers with deeper insight into who was being targeted. The evidence collected reinforced the group’s ties to Iran.

Most of the victims were located inside Iran or were Iranian dissidents abroad, and there were no signs of financial motives behind the activity. The operation ultimately cut Prince of Persia off from nearly all of its victims, effectively disrupting the campaign.

ADVERTISEMENT
jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

Prior to the latest SafeBreach analysis, Prince of Persia appeared to have vanished from the public eye after 2022, with no new activity officially documented. However, rather than going dormant, the group quietly refined its methods, SafeBreach says.

“The scale of Prince of Persia’s activity is more significant than we originally anticipated. Our research identified multiple campaigns that used a large number of malware variants and C2 servers,” wrote Tomer Bar, VP of security research at SafeBreach.

New malware variants detected

The research uncovered and analyzed multiple variants of the Foudre and Tonnerre malware families. The findings include new editions with advanced domain generation algorithms (DGAs), designed to evade detection and maintain resilience against takedown efforts.

One variant, Tonnerre v50, was actively communicating with command-and-control (C2) servers as recently as September 2025.

SafeBreach researchers discovered that newer Tonnerre variants redirect communications to a Telegram channel and bot. The channel is controlled by an individual using the Persian username @ehsan8999100.

Amaq News malware
Source: SafeBreach

This suggests that Prince of Persia is experimenting with widely used messaging platforms to manage infected machines and exfiltrate stolen data.

The channel’s name in Persian, سرافراز (pronounced sarafraz), translates roughly to “proudly,” a possible nod to ideological or cultural signaling by the group’s operators.

ADVERTISEMENT

SafeBreach also identified other malware families associated with the campaign:

  • MaxPinner, designed to spy on Telegram content
  • Amaq News Finder and Deep Freeze, which are likely used to deliver and deploy primary malware
  • Rugissement, a previously unknown family that may have been active in earlier phases of operations

“Most of the C2 servers we found in the last two years appear to be used for testing purposes by the threat actor, with a limited number of real victims,” the researcher said.

However, they do believe that sharing information about discovered testing C2 servers will help other security researchers find additional “production” C2 servers.

Prince of Persia is a global threat

The SafeBreach report highlights that Prince of Persia is “still active, relevant, and dangerous.”

The research team was able to download files exfiltrated from actual victims across multiple continents, demonstrating that the group’s reach extends beyond Iran.

Historical data suggests that the group has targeted victims in Europe, Iraq, Turkey, India, and Canada over the years. “By sharing our research publicly, we hope to help other cybersecurity professionals better understand the associated risks and IOCs of this group, as well as support additional research within the larger cybersecurity community,” the researchers said.

Unlock more exclusive Cybernews content on YouTube.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT