Executive Summary

A December 2025 report from SafeBreach has detailed the resurgence of the Iranian state-sponsored advanced persistent threat (APT) group known as "Prince of Persia." After a period of apparent dormancy, the group is now conducting multiple campaigns using new and updated versions of its signature malware families, Foudre and Tonnerre. The research reveals a significant evolution in the group's tactics, techniques, and procedures (TTPs), most notably the use of the Telegram messaging platform for command and control (C2) communications. This, combined with the use of multiple Domain Generation Algorithms (DGAs), indicates a sophisticated and patient adversary that has re-tooled for a new wave of attacks, likely targeting critical infrastructure.

Threat Overview

• Threat Actor: Prince of Persia (also known as APT33, Elfin).
• Malware: New variants of the Tonnerre and Foudre backdoors.
• Key TTPs:
  • Use of Telegram for C2, a shift from older FTP-based C2 channels.
  • Parallel use of multiple Domain Generation Algorithms (DGAs) for C2 resiliency.
  • Long-term re-tooling and maintaining access to victim networks.
• Targets: Believed to be focused on critical infrastructure organizations globally.

Technical Analysis

The re-emergence of Prince of Persia showcases a clear evolution in their toolset, designed to improve stealth and operational security.

Malware Variants

SafeBreach identified at least three active variants of the Tonnerre malware:

• Tonnerre v50: This variant is the most advanced, using an as-yet-unknown DGA. Critically, its C2 server was observed redirecting the malware to a Telegram group for C2.
• Tonnerre v17: Uses a multi-stage DGA process for added complexity.
• Tonnerre v12-16: Continues to use the group's original CRC32-based DGA.

C2 Evolution: Telegram Abuse

The use of Telegram for C2 (T1102.001 - Dead Drop Resolver) is a significant tactical shift. By leveraging a legitimate, popular, and encrypted service, the attackers make their C2 traffic much harder to detect and block. The traffic blends in with normal user activity, and security teams cannot simply block Telegram's domains or IPs without causing collateral damage. The malware likely uses a Telegram bot and the Telegram API to receive commands and exfiltrate stolen data, a far stealthier method than the previously used FTP protocol.

DGA for Resiliency

The use of multiple, parallel DGAs (T1568.002 - DGA) demonstrates the group's focus on maintaining persistent access. If one C2 channel or DGA pattern is discovered and blocked, the malware can fall back to another, ensuring the attackers do not lose control of their compromised assets.

Impact Assessment

The impact of a successful compromise by Prince of Persia is high. As a state-sponsored APT, their goals are typically espionage, intellectual property theft, and potentially positioning for future disruptive or destructive attacks against critical infrastructure. The re-tooling and patient approach suggest a long-term strategic objective. Organizations in the energy, government, and telecommunications sectors should consider themselves at high risk.

Detection & Response

Detection Strategies:

1. Network Traffic Analysis (D3-NTA): Monitor for and alert on any direct network connections to the Telegram API (api.telegram.org) from servers or workstations that have no business reason to use it. This is a high-fidelity indicator of this type of C2.
2. DNS Query Analysis: Analyze DNS logs for patterns indicative of DGA activity. This includes a high volume of queries to non-existent domains (NXDOMAIN responses) from a single host, or queries to domains with high entropy (random-looking characters).
3. Endpoint Analysis: Use EDR tools to hunt for the presence of the Tonnerre or Foudre malware binaries and their associated persistence mechanisms on endpoints.

Response:

• If Telegram C2 is detected from a server, isolate the host immediately.
• Block the identified C2 domains and Telegram API endpoints at the firewall/proxy.
• Begin a full investigation to determine the initial access vector and scope of the compromise.

Mitigation

Strategic Recommendations:

1. Restrict Web-Based Content (M1021): For corporate environments, especially on servers, create policies to block access to non-essential web services like Telegram, Discord, and others that are commonly abused for C2. This can be done at the web proxy or firewall layer.
2. Network Intrusion Prevention (M1031): Deploy security tools that are capable of detecting and blocking DGA traffic based on algorithmic patterns, rather than just static domain lists.
3. Application Control (M1042): Use application control solutions to prevent unauthorized software, such as the Tonnerre backdoor, from executing on endpoints. This can prevent the malware from running even if it lands on a system.
4. Threat Intelligence Integration: Actively consume and integrate threat intelligence feeds containing IOCs related to Prince of Persia and other relevant APTs into your security tools (SIEM, firewall, EDR).