SYMBOLCOMMON_NAMEaka. SYNONYMS

Infy  (Back to overview)

aka: Operation Mermaid, Prince of Persia, Foudre

Infy is a group of suspected Iranian origin. Since early 2013, we have observed activity from a unique threat actor group, which we began to investigate based on increased activities against human right activists in the beginning of 2015. In line5with other research on the campaign, released prior to publication of this document, we have adopted the name “Infy”, which is based on labels used in the infrastructure and its two families of malware agents. Thanks to information we have been able to collect during the course of our research, such as characteristics of the group’s malware and development cycle, our research strongly supports the claim that the Infy group is of Iranian origin and potentially connected to the Iranian state. Amongst a backdrop of other incidents, Infy became one of the most frequently observed agents for attempted malware attacks against Iranian civil society beginning in late 2014, growing in use up to the February 2016 parliamentary election in Iran. After the conclusion of the parliamentary election, the rate of attempted intrusions and new compromises through the Infy agent slowed, but did not end. The trends witnessed in reports from recipients are reinforced through telemetry provided by design failures in more recent versions of the Infy malware.


Associated Families
win.tonnerre

References
2021-02-18BitdefenderGheorghe Adrian Schipor, Rickey Gevers, Cristina Vatamanu
@techreport{schipor:20210218:iranian:a6516fb, author = {Gheorghe Adrian Schipor and Rickey Gevers and Cristina Vatamanu}, title = {{Iranian APT Makes a Comeback with “Thunder and Lightning” Backdoor and Espionage Combo}}, date = {2021-02-18}, institution = {Bitdefender}, url = {https://download.bitdefender.com/resources/files/News/CaseStudies/study/393/Bitdefender-Whitepaper-Iranian-APT-Makes-a-Comeback-with-Thunder-and-Lightning-Backdoor-and-Espionage-Combo.pdf}, language = {English}, urldate = {2021-02-20} } Iranian APT Makes a Comeback with “Thunder and Lightning” Backdoor and Espionage Combo
Infy Tonnerre
2021-02-08CheckpointSafebreach Labs, Checkpoint Research
@online{labs:20210208:after:3e97412, author = {Safebreach Labs and Checkpoint Research}, title = {{After Lightning Comes Thunder}}, date = {2021-02-08}, organization = {Checkpoint}, url = {https://research.checkpoint.com/2021/after-lightning-comes-thunder/}, language = {English}, urldate = {2021-02-09} } After Lightning Comes Thunder
Infy Tonnerre
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:prince:35ef95a, author = {Cyber Operations Tracker}, title = {{Prince of Persia}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/prince-persia}, language = {English}, urldate = {2019-12-20} } Prince of Persia
Infy
2018-08-17IntezerJay Rosenberg
@online{rosenberg:20180817:prince:d4d3b9c, author = {Jay Rosenberg}, title = {{Prince of Persia: The Sands of Foudre}}, date = {2018-08-17}, organization = {Intezer}, url = {https://www.intezer.com/prince-of-persia-the-sands-of-foudre/}, language = {English}, urldate = {2020-01-13} } Prince of Persia: The Sands of Foudre
Infy Infy
2017-08-01Palo Alto Networks Unit 42Tomer Bar, Simon Conant
@online{bar:20170801:prince:db6038a, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia – Ride the Lightning: Infy returns as “Foudre”}}, date = {2017-08-01}, organization = {Palo Alto Networks Unit 42}, url = {https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/}, language = {English}, urldate = {2019-12-20} } Prince of Persia – Ride the Lightning: Infy returns as “Foudre”
Infy Infy
2017-08-01Palo Alto Networks Unit 42Tomer Bar, Simon Conant
@online{bar:20170801:prince:e7d5542, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia – Ride the Lightning: Infy returns as “Foudre”}}, date = {2017-08-01}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/}, language = {English}, urldate = {2020-01-08} } Prince of Persia – Ride the Lightning: Infy returns as “Foudre”
Infy
2016-08-04Iran ThreatsIran Threats
@online{threats:20160804:iran:2d6ed07, author = {Iran Threats}, title = {{Iran Threats Webpage}}, date = {2016-08-04}, organization = {Iran Threats}, url = {https://iranthreats.github.io/}, language = {English}, urldate = {2020-01-13} } Iran Threats Webpage
Infy Sima
2016-08Black HatClaudio Guarnieri, Collin Anderson
@techreport{guarnieri:201608:iran:d15568e, author = {Claudio Guarnieri and Collin Anderson}, title = {{Iran and the Soft Warfor Internet Dominance}}, date = {2016-08}, institution = {Black Hat}, url = {https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf}, language = {English}, urldate = {2019-11-26} } Iran and the Soft Warfor Internet Dominance
Infy Sima
2016-06-28Palo Alto Networks Unit 42Tomer Bar, Lior Efraim, Simon Conant
@online{bar:20160628:prince:b1d2cdd, author = {Tomer Bar and Lior Efraim and Simon Conant}, title = {{Prince of Persia – Game Over}}, date = {2016-06-28}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/}, language = {English}, urldate = {2019-10-28} } Prince of Persia – Game Over
Infy Infy
2016-05-31Freebuf360
@online{360:20160531:operation:406d937, author = {360}, title = {{Operation Mermaid: 6 years of overseas targeted attacks revealed}}, date = {2016-05-31}, organization = {Freebuf}, url = {https://www.freebuf.com/articles/network/105726.html}, language = {Chinese}, urldate = {2021-03-04} } Operation Mermaid: 6 years of overseas targeted attacks revealed
Infy
2016-05-02Palo Alto Networks Unit 42Tomer Bar, Simon Conant
@online{bar:20160502:prince:cfd5940, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia: Infy Malware Active In Decade of Targeted Attacks}}, date = {2016-05-02}, organization = {Palo Alto Networks Unit 42}, url = {http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/}, language = {English}, urldate = {2020-04-06} } Prince of Persia: Infy Malware Active In Decade of Targeted Attacks
Infy Infy
2016-05-02Palo Alto Networks Unit 42Tomer Bar, Simon Conant
@online{bar:20160502:prince:7769673, author = {Tomer Bar and Simon Conant}, title = {{Prince of Persia: Infy Malware Active In Decade of Targeted Attacks}}, date = {2016-05-02}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/}, language = {English}, urldate = {2020-01-06} } Prince of Persia: Infy Malware Active In Decade of Targeted Attacks
Infy

Credits: MISP Project