Dormant Iran APT Is Still Alive, Spying on Dissidents

The re‑emergence of Prince of Persia underscores a rare continuity in cyber‑espionage: an Iranian APT that has operated for nearly two decades without a public interruption. While newer groups like OilRig dominate headlines, this older actor’s persistence reveals how nation‑state actors can embed themselves deeply in target environments, leveraging long‑term intelligence collection on political opponents and diaspora communities. Its longevity also highlights the challenges security teams face when a threat’s infrastructure evolves faster than detection capabilities.

Technically, Prince of Persia distinguishes itself through a layered malware stack. The lightweight Foudre gathers system data and decides whether to self‑destruct, while the heavier Tonnerre conducts full‑scale exfiltration. Both tools hide their command‑and‑control (C2) channels using a domain‑generation algorithm that produces hundreds of domains weekly, each validated by RSA signature verification—a technique rarely seen in malware. Additionally, Tonnerre can pull Telegram API keys on‑the‑fly, allowing operators to issue commands from private groups without leaving static keys for analysts. This combination of cryptographic rigor and dynamic C2 makes traditional sinkholing ineffective.

The broader implication for defenders is clear: state‑backed actors will continue to invest in resilient, hard‑to‑disrupt infrastructures, especially when supported by national telecom entities. Organizations with employees or customers in the affected regions must prioritize threat‑intel sharing, monitor anomalous Excel‑based payloads, and consider proactive domain‑fronting defenses. As Iran’s cyber capabilities mature, the industry can expect more sophisticated, low‑profile campaigns that blend classic espionage with modern stealth tactics, demanding a shift from signature‑based detection to behavior‑centric monitoring.