Infy (Malware Family)

Infy

aka: Foudre

VTCollection

There is no description at this point.

References

2026-02-04 ⋅ safebreach ⋅ Tomer Bar
Prince of Persia, Part II: Covering Tracks, Striking Back & a Revealing Link to the Iranian Regime Amid the Country’s Internet Blackout
Infy StormKittyRAT

2025-12-18 ⋅ safebreach ⋅ Tomer Bar
Prince of Persia: A decade of Iranian Nation State APT Campaign Activity
Infy Tonnerre

2021-02-18 ⋅ Bitdefender ⋅ Cristina Vatamanu, Gheorghe Adrian Schipor, Rickey Gevers
Iranian APT Makes a Comeback with “Thunder and Lightning” Backdoor and Espionage Combo
Infy Tonnerre

2021-02-08 ⋅ Checkpoint ⋅ Checkpoint Research, Safebreach Labs
After Lightning Comes Thunder
Infy Tonnerre

2020-11-03 ⋅ ⋅ Gcow-Sec ⋅ Shadow Chaser Group
美人鱼(Infy)APT组织的归来——使用最新的Foudre后门进行攻击活动的分析
Infy

2018-08-17 ⋅ Intezer ⋅ Jay Rosenberg
Prince of Persia: The Sands of Foudre
Infy Infy

2017-08-01 ⋅ Palo Alto Networks Unit 42 ⋅ Simon Conant, Tomer Bar
Prince of Persia – Ride the Lightning: Infy returns as “Foudre”
Infy Infy

2016-06-28 ⋅ Palo Alto Networks Unit 42 ⋅ Lior Efraim, Simon Conant, Tomer Bar
Prince of Persia – Game Over
Infy Infy

2016-05-02 ⋅ Palo Alto Networks Unit 42 ⋅ Simon Conant, Tomer Bar
Prince of Persia: Infy Malware Active In Decade of Targeted Attacks
Infy

2016-05-02 ⋅ Github (pan-unit42) ⋅ Josh Grunzweig
Prince of Persia Hashes
Infy

2016-05-02 ⋅ Palo Alto Networks Unit 42 ⋅ Simon Conant, Tomer Bar
Prince of Persia: Infy Malware Active In Decade of Targeted Attacks
Infy Infy

Yara Rules

[TLP:WHITE] win_infy_auto (20260504 \| Detects win.infy.) rule win_infy_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.infy." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. / strings: $sequence_0 = { 31c9 85d2 740a 66837af601 } // n = 4, score = 200 // 31c9 \| xor ecx, ecx // 85d2 \| test edx, edx // 740a \| je 0xc // 66837af601 \| cmp word ptr [edx - 0xa], 1 $sequence_1 = { c3 55 8bec 8b4508 2b450c 85c0 } // n = 6, score = 200 // c3 \| ret // 55 \| push ebp // 8bec \| mov ebp, esp // 8b4508 \| mov eax, dword ptr [ebp + 8] // 2b450c \| sub eax, dword ptr [ebp + 0xc] // 85c0 \| test eax, eax $sequence_2 = { 8945d4 807de300 7409 8b45e4 66833820 7304 } // n = 6, score = 200 // 8945d4 \| mov dword ptr [ebp - 0x2c], eax // 807de300 \| cmp byte ptr [ebp - 0x1d], 0 // 7409 \| je 0xb // 8b45e4 \| mov eax, dword ptr [ebp - 0x1c] // 66833820 \| cmp word ptr [eax], 0x20 // 7304 \| jae 6 $sequence_3 = { 8807 8d0492 8d1492 83f901 83dfff c1e817 } // n = 6, score = 200 // 8807 \| mov byte ptr [edi], al // 8d0492 \| lea eax, [edx + edx4] // 8d1492 \| lea edx, [edx + edx4] // 83f901 \| cmp ecx, 1 // 83dfff \| sbb edi, -1 // c1e817 \| shr eax, 0x17 $sequence_4 = { 7d04 33ff eb0a 8bf8 } // n = 4, score = 200 // 7d04 \| jge 6 // 33ff \| xor edi, edi // eb0a \| jmp 0xc // 8bf8 \| mov edi, eax $sequence_5 = { 7507 b801000000 eb02 33c0 5d c20800 } // n = 6, score = 200 // 7507 \| jne 9 // b801000000 \| mov eax, 1 // eb02 \| jmp 4 // 33c0 \| xor eax, eax // 5d \| pop ebp // c20800 \| ret 8 $sequence_6 = { 8b460c 8b55fc 8b3c90 eb52 } // n = 4, score = 200 // 8b460c \| mov eax, dword ptr [esi + 0xc] // 8b55fc \| mov edx, dword ptr [ebp - 4] // 8b3c90 \| mov edi, dword ptr [eax + edx4] // eb52 \| jmp 0x54 $sequence_7 = { 56 57 33c9 894df8 8955f0 8945fc 8b45fc } // n = 7, score = 200 // 56 \| push esi // 57 \| push edi // 33c9 \| xor ecx, ecx // 894df8 \| mov dword ptr [ebp - 8], ecx // 8955f0 \| mov dword ptr [ebp - 0x10], edx // 8945fc \| mov dword ptr [ebp - 4], eax // 8b45fc \| mov eax, dword ptr [ebp - 4] $sequence_8 = { 870c24 51 8b4afc e9???????? e9???????? e9???????? } // n = 6, score = 200 // 870c24 \| xchg dword ptr [esp], ecx // 51 \| push ecx // 8b4afc \| mov ecx, dword ptr [edx - 4] // e9???????? \| // e9???????? \| // e9???????? \| $sequence_9 = { 03c9 e8???????? 8d1437 8bc3 e8???????? } // n = 5, score = 200 // 03c9 \| add ecx, ecx // e8???????? \| // 8d1437 \| lea edx, [edi + esi] // 8bc3 \| mov eax, ebx // e8???????? \| condition: 7 of them and filesize < 147456 }
[TLP:WHITE] win_infy_w0 (20170803 \| Detects Foudre Backdoor) rule win_infy_w0 { meta: author = "Florian Roth" description = "Detects Foudre Backdoor" info = "foudre dropper" reference = "https://goo.gl/Nbqbt6" date = "2017-08-01" hash = "7e73a727dc8f3c48e58468c3fd0a193a027d085f25fa274a6e187cf503f01f74" hash = "7ce2c5111e3560aa6036f98b48ceafe83aa1ac3d3b33392835316c859970f8bc" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy" malpedia_version = "20170803" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = "initialization failed: Reinstall the program" fullword wide $s2 = "SnailDriver V1" fullword wide $s3 = "lp.ini" fullword wide condition: filesize < 100KB and 2 of them }
[TLP:WHITE] win_infy_w1 (20170803 \| Detects Foudre Backdoor) rule win_infy_w1 { meta: author = "Florian Roth" description = "Detects Foudre Backdoor" info = "foudre dropper 2" reference = "https://goo.gl/Nbqbt6" date = "2017-08-01" hash = "6bc9f6ac2f6688ed63baa29913eaf8c64738cf19933d974d25a0c26b7d01b9ac" hash = "da228831089c56743d1fbc8ef156c672017cdf46a322d847a270b9907def53a5" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy" malpedia_version = "20170803" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $x1 = "536F594A96C5496CB3949A4DA4775B576E049C57696E646F77735C43757272656E7456657273696F6E5C5C52756E" fullword wide $x2 = "2220263024C380B3278695851482EC32" fullword wide $s1 = "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\\\Startup\\" fullword wide $s2 = "C:\\Documents and Settings\\All Users\\" fullword wide $s3 = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\\\Shell Folders" fullword wide $s4 = "ShellExecuteW" fullword wide condition: filesize < 100KB and ( 1 of ($x*) or 4 of them ) }
[TLP:WHITE] win_infy_w2 (20170803 \| Detects Foudre Backdoor) import "pe" rule win_infy_w2 { meta: description = "Detects Foudre Backdoor" author = "Florian Roth" info = "foudre backdoor" reference = "https://goo.gl/Nbqbt6" date = "2017-08-01" hash = "7c6206eaf0c5c9c6c8d8586a626b49575942572c51458575e51cba72ba2096a4" hash = "db605d501d3a5ca2b0e3d8296d552fbbf048ee831be21efca407c45bf794b109" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy" malpedia_version = "20170803" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: /* $s1 = "Project1.dll" fullword ascii / / Better: Project1.dll\x00D1 */ $s1 = { 50 72 6F 6A 65 63 74 31 2E 64 6C 6C 00 44 31 } $s2 = "winmgmts:\\\\localhost\\root\\SecurityCenter2" fullword wide $s3 = "C:\\Documents and Settings\\All Users\\" fullword wide condition: filesize < 2000KB and 3 of them or (2 of them and pe.exports("D1")) }

Download all Yara Rules

[TLP:WHITE] win_infy_auto (20260504 \| Detects win.infy.) rule win_infy_auto { meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2026-05-04" version = "1" description = "Detects win.infy." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy" malpedia_rule_date = "20260422" malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14" malpedia_version = "20260504" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. / strings: $sequence_0 = { 31c9 85d2 740a 66837af601 } // n = 4, score = 200 // 31c9 \| xor ecx, ecx // 85d2 \| test edx, edx // 740a \| je 0xc // 66837af601 \| cmp word ptr [edx - 0xa], 1 $sequence_1 = { c3 55 8bec 8b4508 2b450c 85c0 } // n = 6, score = 200 // c3 \| ret // 55 \| push ebp // 8bec \| mov ebp, esp // 8b4508 \| mov eax, dword ptr [ebp + 8] // 2b450c \| sub eax, dword ptr [ebp + 0xc] // 85c0 \| test eax, eax $sequence_2 = { 8945d4 807de300 7409 8b45e4 66833820 7304 } // n = 6, score = 200 // 8945d4 \| mov dword ptr [ebp - 0x2c], eax // 807de300 \| cmp byte ptr [ebp - 0x1d], 0 // 7409 \| je 0xb // 8b45e4 \| mov eax, dword ptr [ebp - 0x1c] // 66833820 \| cmp word ptr [eax], 0x20 // 7304 \| jae 6 $sequence_3 = { 8807 8d0492 8d1492 83f901 83dfff c1e817 } // n = 6, score = 200 // 8807 \| mov byte ptr [edi], al // 8d0492 \| lea eax, [edx + edx4] // 8d1492 \| lea edx, [edx + edx4] // 83f901 \| cmp ecx, 1 // 83dfff \| sbb edi, -1 // c1e817 \| shr eax, 0x17 $sequence_4 = { 7d04 33ff eb0a 8bf8 } // n = 4, score = 200 // 7d04 \| jge 6 // 33ff \| xor edi, edi // eb0a \| jmp 0xc // 8bf8 \| mov edi, eax $sequence_5 = { 7507 b801000000 eb02 33c0 5d c20800 } // n = 6, score = 200 // 7507 \| jne 9 // b801000000 \| mov eax, 1 // eb02 \| jmp 4 // 33c0 \| xor eax, eax // 5d \| pop ebp // c20800 \| ret 8 $sequence_6 = { 8b460c 8b55fc 8b3c90 eb52 } // n = 4, score = 200 // 8b460c \| mov eax, dword ptr [esi + 0xc] // 8b55fc \| mov edx, dword ptr [ebp - 4] // 8b3c90 \| mov edi, dword ptr [eax + edx4] // eb52 \| jmp 0x54 $sequence_7 = { 56 57 33c9 894df8 8955f0 8945fc 8b45fc } // n = 7, score = 200 // 56 \| push esi // 57 \| push edi // 33c9 \| xor ecx, ecx // 894df8 \| mov dword ptr [ebp - 8], ecx // 8955f0 \| mov dword ptr [ebp - 0x10], edx // 8945fc \| mov dword ptr [ebp - 4], eax // 8b45fc \| mov eax, dword ptr [ebp - 4] $sequence_8 = { 870c24 51 8b4afc e9???????? e9???????? e9???????? } // n = 6, score = 200 // 870c24 \| xchg dword ptr [esp], ecx // 51 \| push ecx // 8b4afc \| mov ecx, dword ptr [edx - 4] // e9???????? \| // e9???????? \| // e9???????? \| $sequence_9 = { 03c9 e8???????? 8d1437 8bc3 e8???????? } // n = 5, score = 200 // 03c9 \| add ecx, ecx // e8???????? \| // 8d1437 \| lea edx, [edi + esi] // 8bc3 \| mov eax, ebx // e8???????? \| condition: 7 of them and filesize < 147456 }
[TLP:WHITE] win_infy_w0 (20170803 \| Detects Foudre Backdoor) rule win_infy_w0 { meta: author = "Florian Roth" description = "Detects Foudre Backdoor" info = "foudre dropper" reference = "https://goo.gl/Nbqbt6" date = "2017-08-01" hash = "7e73a727dc8f3c48e58468c3fd0a193a027d085f25fa274a6e187cf503f01f74" hash = "7ce2c5111e3560aa6036f98b48ceafe83aa1ac3d3b33392835316c859970f8bc" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy" malpedia_version = "20170803" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $s1 = "initialization failed: Reinstall the program" fullword wide $s2 = "SnailDriver V1" fullword wide $s3 = "lp.ini" fullword wide condition: filesize < 100KB and 2 of them }
[TLP:WHITE] win_infy_w1 (20170803 \| Detects Foudre Backdoor) rule win_infy_w1 { meta: author = "Florian Roth" description = "Detects Foudre Backdoor" info = "foudre dropper 2" reference = "https://goo.gl/Nbqbt6" date = "2017-08-01" hash = "6bc9f6ac2f6688ed63baa29913eaf8c64738cf19933d974d25a0c26b7d01b9ac" hash = "da228831089c56743d1fbc8ef156c672017cdf46a322d847a270b9907def53a5" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy" malpedia_version = "20170803" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: $x1 = "536F594A96C5496CB3949A4DA4775B576E049C57696E646F77735C43757272656E7456657273696F6E5C5C52756E" fullword wide $x2 = "2220263024C380B3278695851482EC32" fullword wide $s1 = "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\\\Startup\\" fullword wide $s2 = "C:\\Documents and Settings\\All Users\\" fullword wide $s3 = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\\\Shell Folders" fullword wide $s4 = "ShellExecuteW" fullword wide condition: filesize < 100KB and ( 1 of ($x*) or 4 of them ) }
[TLP:WHITE] win_infy_w2 (20170803 \| Detects Foudre Backdoor) import "pe" rule win_infy_w2 { meta: description = "Detects Foudre Backdoor" author = "Florian Roth" info = "foudre backdoor" reference = "https://goo.gl/Nbqbt6" date = "2017-08-01" hash = "7c6206eaf0c5c9c6c8d8586a626b49575942572c51458575e51cba72ba2096a4" hash = "db605d501d3a5ca2b0e3d8296d552fbbf048ee831be21efca407c45bf794b109" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.infy" malpedia_version = "20170803" malpedia_license = "CC BY-NC-SA 4.0" malpedia_sharing = "TLP:WHITE" strings: /* $s1 = "Project1.dll" fullword ascii / / Better: Project1.dll\x00D1 */ $s1 = { 50 72 6F 6A 65 63 74 31 2E 64 6C 6C 00 44 31 } $s2 = "winmgmts:\\\\localhost\\root\\SecurityCenter2" fullword wide $s3 = "C:\\Documents and Settings\\All Users\\" fullword wide condition: filesize < 2000KB and 3 of them or (2 of them and pe.exports("D1")) }

Infy Propose Change

References

Yara Rules

Infy