BLUF

The Iranian state-sponsored APT group 'Prince of Persia' has re-emerged with new variants of its Foudre and Tonnerre malware, using updated communication tactics like Telegram bots for C2 operations, likely targeting critical infrastructure worldwide.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by Foudre and Tonnerre malware:

• Low-end total cost: $750,000 – $1.1M
  (Rapid detection, limited persistence, strong internal security maturity)

• Typical expected range: $1.2M – $2M

• Upper-bound realistic scenarios: $2.5M – $3.5M
  (Extended dwell time, sensitive sector exposure, regulatory engagement)

Key cost driver:

Costs are driven less by operational damage and more by assurance and validation. The use of stealthy persistence, encrypted communications, and non-traditional C2 channels (such as Telegram) forces organizations to invest heavily in forensic certainty, executive assurance, and regulatory confidence rather than simple cleanup. The financial burden increases with the need to prove what did not happen, not just what did.

Targeted Sectors

·         Critical infrastructure

·         Foreign Diplomats

·         Dissidents and Political Groups

·         Government-Affiliated Media

o   Members of the BBC Persian press and news websites related to political opposition groups

Countries

·         Global with a focus on the Middle East, Europe, and the Americas.

Date of First Reported Activity

·         The latest variants were detected as recent as September 2025

Date of Last Reported Activity Update

·         December 31, 2025

APT Names

·         Prince of Persia.

Associated Criminal Organization Names

·         This has not been tied to criminal organizations.

IOCs

Specific C2 domains (generated via DGA), file hashes for Tonnerre v50, v12-16, v17 (not publicly listed in snippets).

Tools Used

·         Foudre, Tonnerre (v50, v12-16, v17)

·         Telegram API/bots.

TTPs

Initial Access

The primary method for initial compromise remains spear-phishing.

·         T1566.001 Spear-phishing Attachment: The APT group uses malicious Microsoft Excel documents to deliver the initial payload. Recent campaigns embed executables within the documents rather than relying on macros, a technique to evade antivirus detection.

Execution

The embedded executable is designed to start the infection chain.

·         T1059.001 Command and Scripting Interpreter: PowerShell: The attack likely involves PowerShell or similar scripting to manage stages of the infection.

·         T1204.002 User Execution: Malicious File: The victim must open the malicious document and enable/interact with the embedded executable for the malware to run.

Persistence

The Foudre malware is the primary persistence mechanism, designed for long-term access and victim profiling.

·         TA0003 Persistence: The malware establishes a continuous presence on the compromised system.

·         T1543.003 Create or Modify System Process: Windows Service: The malware likely uses system services or similar mechanisms to ensure execution across reboots.

Command and Control (C2)

The group employs sophisticated methods to protect its C2 infrastructure and evade takedowns, a lesson learned from past disruptions.

·         T1071.001 Application Layer Protocol: Web Protocols: The malware communicates with C2 servers using standard web protocols.

·         T1071.004 Application Layer Protocol: DNS: Domain Generation Algorithms (DGAs) are heavily used to create numerous C2 domains, making them difficult to block.

·         T1105 Ingress Tool Transfer: The first-stage malware, Foudre, downloads the more potent Tonnerre implant if the victim is deemed high-value.

·         T1571 Non-Standard Port: The C2 communication may utilize non-standard ports or channels, such as a Telegram bot (Tonnerre v50 variant), to evade network monitoring.

Defense Evasion

Multiple techniques are used to remain undetected.

·         T1027 Obfuscated Files or Information: The malware uses strong encryption and packed/SFX payloads.

·         T1140 Deobfuscate/Decode Files or Information: The malware has a built-in RSA signature verification process to confirm the authenticity of the C2 server before communicating, preventing researchers from sinkholing domains.

·         T1070.004 Indicator Removal: File Deletion: Foudre can be commanded to self-destruct on low-value targets, removing forensic artifacts.

Discovery & Exfiltration

Once a target is profiled by Foudre and confirmed as high-value, Tonnerre is deployed for espionage and data theft.

·         TA0007 Discovery: Foudre collects basic system information and profiles the victim's identity.

·         TA0010 Exfiltration: Tonnerre extracts sensitive data (e.g., system GUIDs, files) to the C2 server. The malware can also capture messages directly from Telegram chats on the compromised machine.

Malware Names

Foudre

Tonnerre

Malware Sample

Foudre

config.lnk, a malicious Windows Shortcut file used to download Foudre payloads

sha256

85b317bb4463a93ecc4d25af872401984d61e9ddcee4c275ea1f1d9875b5fa61

URL Link to sample

·         hxxps://www.virustotal.com/gui/file/85b317bb4463a93ecc4d25af872401984d61e9ddcee4c275ea1f1d9875b5fa61

This module is often used alongside Foudre for high-value data exfiltration

Tonnerre

Sha256

341cffd90fce29f0df63a7763a2a588b40c678a0903b2199d0d208a3fd3ad60b

URL link to sample

hxxps://www.virustotal.com/gui/file/341cffd90fce29f0df63a7763a2a588b40c678a0903b2199d0d208a3fd3ad60b

CVEs and CVSS Vectors

·         No CVEs have been associated with the latest Foudre /Tonnerre attacks at this time

Nessus ID

·         Not applicable

Suggested rules / potential hunts

As a reminder, these are indicator rules. They are likely to be noisy.

For best results consider creating a data model and reviewing the traffic as a report.

Suricata

Detect anomalous outbound traffic to Telegram API endpoints specifically from non-user-facing servers.

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"POTENTIAL Prince of Persia Telegram C2 Communication"; tls.sni; content:"api.telegram.org"; flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 3600; sid:1000001; rev:1;)

Look for high-frequency DNS queries to domains that match the group's observed 2025 patterns.

alert dns $HOME_NET any -> any any (msg:"POTENTIAL Prince of Persia DGA Domain Query"; dns.query; pcre:"/[a-z0-9]{10,20}\.(com|net|org|info)/"; sid:1000002; rev:1;)

SentinelOne

Foudre Loader DLL Detection

Hunt for the execution of custom loader DLLs often used as remnants in the environment.

Process.Name = "rundll32.exe" AND Process.Arguments CONTAINS "Foudre" AND File.Extension = ".dll"

Encrypted SFX Payload Execution

Detect the extraction and execution of Self-Extracting Archive (SFX) payloads, a hallmark of their 2025 tactics.

Process.Name matches ".*\.sfx\.exe" OR Process.Arguments CONTAINS "-p" AND (Process.ChildName matches "powershell.exe" OR Process.ChildName matches "cmd.exe")

MaxPinner Telegram Monitoring

Detect unauthorized access to Telegram desktop client data directories.

File.Path CONTAINS "Telegram Desktop\tdata" AND (Process.Name NOT IN ("Telegram.exe", "explorer.exe"))

Splunk

Identify Outbound C2 Beacons: Search for consistent, small-volume outbound connections to external IPs that may indicate a persistent heartbeat.

index=firewall_logs action=allowed

| stats count, sum(bytes_out) as total_bytes by src_ip, dest_ip, dest_port

| where count > 100 AND total_bytes < 500000

| sort - count

```

Rugissement/Deep Freeze Payload Discovery: Search for the creation of files with specific naming conventions used in recent 2025 activity.

splunk

index=endpoint sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=11

| search TargetFilename IN ("*DeepFreeze*", "*Rugissement*", "*Amaq*")

| table _time, host, Image, TargetFilename

```

Password Spraying/MFA Push Bombing: Correlate authentication failures with subsequent successful logins or MFA modifications.

index=auth EventCode=4625

| stats dc(user) as attempted_users by src_ip

| where attempted_users > 10

```

Delivery Method

It appears to be by targeted spear-phishing or leveraging existing access.

Email Samples

No samples mentioned.

References

SCWorld

hxxps://www.scworld.com/news/iranian-apt-prince-of-persia-evolves-deploys-three-new-malware-strains

SC Media

hxxps://www.scworld.com/news/iranian-apt-prince-of-persia-evolves-deploys-three-new-malware-strains

VirusTotal

·         hxxps://www.virustotal.com/gui/file/341cffd90fce29f0df63a7763a2a588b40c678a0903b2199d0d208a3fd3ad60b

·         hxxps://www.virustotal.com/gui/file/85b317bb4463a93ecc4d25af872401984d61e9ddcee4c275ea1f1d9875b5fa61