Iranian Infy APT Group Reemerges with Sophisticated New Malware Campaigns

The advanced persistent threat (APT) group known as Infy, also referred to as Prince of Persia, has resurfaced after years of limited visibility. Recent threat intelligence indicates renewed and expanded malware operations that pose a growing risk to organizations worldwide. For businesses relying on stable, secure web infrastructure, this renewed activity is a reminder that cyber threats evolve even when they appear to go quiet.

Key Takeaways

• Infy (Prince of Persia), an Iranian-linked APT group, has resumed operations after several years of low activity.
• The group is leveraging new or updated malware tools to conduct espionage and long-term surveillance.
• Organizations with exposed web applications, hosting environments, and remote access services are at elevated risk.
• Businesses should strengthen cybersecurity controls around web hosting, patch management, and monitoring to mitigate APT threats.

Who Is the Infy (Prince of Persia) APT Group?

Infy is a long-running threat actor believed to be associated with Iranian interests, focused primarily on cyber espionage rather than quick financial gain. Historically, the group has targeted victims in regions including Sweden, the Netherlands, and Turkey, along with other politically or strategically relevant locations.

The group is known for building custom malware frameworks designed for stealth, persistence, and data theft. Unlike commodity cybercriminals who rely on widely available malware kits, Infy typically invests in bespoke tooling that evolves over time, making detection more difficult for traditional defenses.

"The scale of Prince of Persia's activity is more significant than we originally anticipated," noted Tomer Bar, vice president of security research at SafeBreach, highlighting the broader scope of the group’s current operations.

Why This Group Matters to Businesses

Infy’s operations typically focus on long-term access and intelligence collection. For businesses, this means the risk is not only about initial compromise, but about how long an attacker can remain undetected inside web servers, applications, and internal networks, quietly exfiltrating sensitive data.

Organizations that handle sensitive customer information, intellectual property, or operate in sectors of geopolitical interest are more likely to be targeted, but any business with insecure hosting or web infrastructure can become a stepping stone in a larger campaign.

New Malware Activity: What Has Changed?

The latest wave of Infy activity suggests the group has invested in new malware variants and improved operational capabilities. While technical details continue to emerge from ongoing research, several patterns are increasingly clear.

Enhanced Stealth and Persistence

Infy’s new tools are designed to better evade modern security products and stay hidden for longer periods. This may include:

• Fileless techniques that rely more on memory-resident components rather than traditional executables.
• Use of legitimate tools and processes already present on the system (living-off-the-land), making malicious activity blend in with normal behavior.
• Improved command-and-control (C2) channels that mimic normal web traffic or use encryption to hide data transfers.

These upgrades make it more challenging for organizations to detect compromise using basic antivirus or signature-based tools alone.

Targeting Web-Facing Infrastructure

APT groups like Infy frequently focus on vulnerable web servers, web applications, and hosting environments as their initial entry points. In many cases, they exploit:

• Unpatched content management systems (CMS) and plugins.
• Misconfigured web servers and databases exposed to the internet.
• Weak or reused credentials for admin panels and hosting control panels.

Once inside, attackers can deploy malware, modify websites, harvest credentials, and pivot deeper into internal systems. This is especially dangerous for organizations that host multiple client websites or applications on shared infrastructure.

Implications for Web Hosting and Online Businesses

The resurgence of Infy has direct implications for web hosting providers, digital agencies, and businesses running critical services online. APT actors are increasingly combining classic espionage techniques with attacks on commercial infrastructure.

Risk to Shared Hosting and Multi-Tenant Environments

Shared or multi-tenant hosting environments are particularly attractive to sophisticated attackers. A single compromised server may provide access to multiple websites, databases, or client accounts. If segmentation and access controls are weak, one exploited site can quickly lead to a broader incident.

For example, a compromised CMS plugin on one client’s site can give an attacker a foothold on the server, from which they can scan for additional misconfigurations, deploy backdoors, or intercept traffic destined for other hosted applications.

Data Exposure and Regulatory Impact

Because Infy is focused on information gathering, the most significant business risk lies in data exposure. This can include:

• Customer records and personal data.
• Internal documents, contracts, and strategic plans.
• Source code and proprietary algorithms hosted on vulnerable systems.

Beyond direct financial loss, such breaches may trigger regulatory obligations under GDPR, CCPA, or industry-specific regulations, leading to investigations, fines, and reputational damage.

Defensive Strategies Against APT-Style Campaigns

While no single control can completely prevent a determined APT, layered defenses significantly reduce the likelihood and impact of an Infy-style attack. Both business owners and technical teams should focus on strengthening core areas of their web and hosting security posture.

Harden Web Hosting and Server Configurations

Start by ensuring your hosting environment is not the weakest link:

• Maintain regular patching of operating systems, web servers (e.g., Apache, Nginx, IIS), CMS platforms, and plugins.
• Disable unused services and ports to minimize the attack surface.
• Implement least-privilege access for system accounts, control panels, and deployment tools.
• Separate critical applications and client environments using strong isolation (containers, VMs, or dedicated hosting).

For organizations using third-party hosting providers, it is crucial to verify what security controls are included and where your responsibilities begin and end.

Strengthen Application and Account Security

At the application and user level, Infy and similar groups often take advantage of weak access controls. Key measures include:

• Enforcing multi-factor authentication (MFA) for admin accounts, developer portals, and remote access tools.
• Using password managers and unique, complex credentials for all administrative logins.
• Implementing web application firewalls (WAFs) to filter malicious traffic and block known exploit patterns.
• Conducting regular security testing (vulnerability scans, penetration testing) of public-facing applications.

Developers should also follow secure coding practices, perform code reviews with a security lens, and avoid exposing debug or admin interfaces to the public internet.

Improve Monitoring, Detection, and Incident Response

Because APTs prioritize stealth, visibility and monitoring are as important as prevention:

• Deploy centralized logging and monitor for unusual login patterns, privilege escalations, or configuration changes.
• Use endpoint detection and response (EDR) or advanced security tools capable of behavior-based detection.
• Create and regularly test an incident response plan that covers containment, forensics, communication, and recovery.

Having a predefined playbook allows your team to act quickly if suspicious activity is detected, limiting dwell time and damage.

What Business Leaders and Technical Teams Should Do Now

The renewed activity from Infy is a reminder that sophisticated actors often operate on multi-year timelines, quietly refining tools and waiting for the right moment. Businesses should treat this as an opportunity to reassess their current security maturity.

Executives, IT leaders, and development teams can collaborate on a focused action plan:

• Conduct a risk assessment of all internet-facing assets, especially hosted websites and APIs.
• Review existing vendor and hosting agreements to clarify security responsibilities and expectations.
• Invest in security awareness training so staff can recognize phishing and social engineering tactics often used to support APT operations.
• Align technical roadmaps with security best practices, ensuring new web development projects include security from the outset.

Conclusion

The reemergence of the Infy (Prince of Persia) APT group highlights an uncomfortable reality: advanced threat actors seldom disappear; they adapt. For organizations that rely heavily on web infrastructure and hosting, this evolution underscores the need for robust, proactive cybersecurity measures.

By hardening hosting environments, securing applications, monitoring continuously, and planning for incidents, businesses can significantly reduce their exposure to long-term espionage campaigns. The cost of improving defenses is almost always lower than the financial, operational, and reputational impact of a successful APT intrusion.