{"id":202332,"date":"2026-04-05T03:25:06","date_gmt":"2026-04-05T07:25:06","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/04\/05\/infy-hackers-resume-operations-with-new-c2-servers-after-iran-internet-blackout-ends\/"},"modified":"2026-04-05T03:25:10","modified_gmt":"2026-04-05T07:25:10","slug":"infy-hackers-resume-operations-with-new-c2-servers-after-iran-internet-blackout-ends","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/04\/05\/infy-hackers-resume-operations-with-new-c2-servers-after-iran-internet-blackout-ends\/","title":{"rendered":"Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/02\/infy-hackers-resume-operations-with-new.html\">Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/02\/infy-hackers-resume-operations-with-new.html\">https:\/\/thehackernews.com\/2026\/02\/infy-hackers-resume-operations-with-new.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-05 05:25:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><strong>Summary:<\/strong><br \/>\nThe article details updates to the tactics employed by the Iranian threat group known as Infy since mid-January 2026. It highlights how the group, amidst Iran-wide internet blackouts at the start of the year, ceased maintenance of its command-and-control (C2) servers before reactivating new C2 infrastructure following the reduction of internet restrictions. Cybersecurity firm SafeBreach&#8217;s observations emphasize the state-sponsored nature of Infy, which has been conducting espionage and influence operations in line with Tehran&#8217;s strategic interests since its inception in 2004. The group has recently advanced its techniques for attacking high-profile targets, employing updated malware versions, leveraging new C2 mechanisms like HTTP and Telegram bots, and utilizing security flaws in WinRAR to enhance attack success. Specific versions of its malware, named Tornado, exploit different methods for domain name generation to control compromised systems. SafeBreach&#8217;s analysis has uncovered connections to other threat actors and malware families, showing Infy&#8217;s sustained vigilance in employing sophisticated cyber espionage tactics.<\/p>\n<p><strong>Key Points:<\/strong><\/p>\n<ul>\n<li>Infy has evolved its command and control infrastructure and tactics while operating under state sponsorship.<\/li>\n<li>The threat group took a break from maintaining its C2 servers during a nationwide internet blackout in Iran to hide activities, suggesting state-backed operations.<\/li>\n<li>SafeBreach&#8217;s observations since December 2025 show an advanced use of HTTP and Telegram for C2 as well as exploitation of a WinRAR vulnerability to increase campaign success rates.<\/li>\n<li>New findings in early 2026 suggest connections between Infy and other malware operations like ZZ Stealer and potential overlaps with Charming Kitten.<\/li>\n<li>The latest version of Infy\u2019s malware, named Tornado, employs advanced domain name generation techniques and uses both Telegram and HTTP for C2 communications.<\/li>\n<\/ul>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends https:\/\/thehackernews.com\/2026\/02\/infy-hackers-resume-operations-with-new.html Publish&#8230;<\/p>\n","protected":false},"author":1,"featured_media":202333,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh8ERbt8WNDNB0dUBHa1RW4Js_8AhSmorSisyOplVJjamDe87uMfCCGeqM_VrKwRGteNlpjh3NfFHjriXs81bWsrgjtX75RGERc1AFNBWFKLTtm-geYPNn4aVPeDVNzcoqmDrMImn7YPl1sqja6zKy7aAFO5baubav3qk8AMIFj5MAh2GpkSoI1YL4PSKMk\/s1700-e365\/iranian-hackers.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31,32,27],"class_list":["post-202332","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit","tag-malware","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/202332"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=202332"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/202332\/revisions"}],"predecessor-version":[{"id":202334,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/202332\/revisions\/202334"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/202333"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=202332"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=202332"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=202332"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}