It's been a bit quiet over the last 24 hours, so it'll be a short post today, but we do have a significant update on a long-standing Iranian threat actor. Let's dive in:

Iranian Infy APT Resurfaces with Advanced Tradecraft 🇮🇷

- The Iranian APT group Infy, also known as Prince of Persia, has resurfaced with new malware activity and updated tactics after nearly five years of silence, proving it remains active and dangerous.
- This elusive group, one of the oldest APTs dating back to 2004, is now using updated versions of its Foudre downloader and Tonnerre data exfiltrator, distributed via executables embedded in documents, targeting victims across multiple regions including Iran, Iraq, Turkey, India, Canada, and Europe.
- Key updates to their tradecraft include the use of a Domain Generation Algorithm (DGA) for resilient command-and-control (C2) infrastructure, RSA signature validation for C2 authenticity, and a unique mechanism within Tonnerre to communicate with a Telegram group for C2.

📰 The Hacker News | https://thehackernews.com/2025/12/iranian-infy-apt-resurfaces-with-new.html

#CyberSecurity #ThreatIntelligence #APT #NationState #Iran #Malware #Infy #PrinceOfPersia #InfoSec #CyberAttack #ThreatActor #TTPs

DeepSec 2025 Talk: How To Breach: From Unconventional Initial Access Vectors To Modern Lateral Movement – Benjamin Floriani & Patrick Pongratz

The perpetual cat-and-mouse game between attackers and defenders has pushed offensive security o

https://blog.deepsec.net/deepsec-2025-talk-how-to-breach-from-unconventional-initial-access-vectors-to-modern-lateral-movement-benjamin-floriani-patrick-pongratz/

#Conference #DeepSec2025 #LowprofileAttackingTechniques #RedTeam #SVG #Talk #TTPs

Qilin highlights a subtle escalation: manual verification of exfil targets using benign Windows apps. Detection priorities:
• Monitor process launches of mspaint.exe & notepad.exe with non-interactive parent processes (e.g., psexec.exe, wmiexec).
• Alert on unusual SMB file open/read patterns (many large-file reads from non-service accounts).
• Watch for usage of Cyberduck or CLI S3/Backblaze clients from non-admin workstations and odd outbound TLS endpoints.
• Audit scheduled tasks (TVInstallRestore) and RUN-key changes; block lateral tools like PsExec or require ACLs.

Comment your favorite Sigma/EDR rule or follow TechNadu for weekly IOCs & remediation playbooks.

#TTPs #ThreatHunting #Ransomware #EDR #Sigma #IR #ThreatIntel #Qilin

Predatory Sparrow’s toolkit and chain-of-execution highlight destructive-sabotage best practices for defenders:
- Multi-stage batch scripts with hostname checks (avoid accidental collateral).
- Scheduled-task detonation (msrun.bat → 23:55) and NIC disable via PowerShell.
- Log wiping (wevtutil) and BCD/shadow-copy removal to prevent recovery.
- XOR-encrypted configs (msconf.conf), encrypted payloads, and precise target enumeration.

Detection & response suggestions: immutable offline backups, firmware-level integrity checks, EDR + OT anomaly telemetry correlation, and scheduled-task auditing. Discuss what telemetry you’d add to catch the staging phase - then follow @technadu for more IOCs and deep dives.

#ThreatIntel #Wiper #IR #EDR #OTSecurity #ICS #TTPs #InfoSec

🚨 The wait is over — the full program of briefings for the Honeynet Project Workshop 2025 in Prague is now live! 🎉

We’re proud to present an incredible lineup of speakers from across the globe, sharing cutting-edge work in cyber deception, honeypots, threat intelligence, and more. 🐝🌍

📍 NTK, Prague
🗓 June 2–4, 2025
👉 Register today: https://prague2025.honeynet.org/program/

#Honeynet2025 #cybersecurity #infosec #deception #cyberdeception #TI #TTPs #Malware

🎺 Training alert!

Join Federico Pacheco at #Honeynet2025 in Prague for a hands-on training on Translating Threats into Deception Strategies. This session walks you through a practical 4-phase approach to turning TTPs into deception activities — from behavior extraction to storytelling design.

🛠️ Learn how to extract behaviors, design scenarios, and align deception with real threats.
🪑 Limited seats available – don’t wait!
🔗 Register now: https://prague2025.honeynet.org

#CyberDeception #TTPs #TI

Join Georgy Kucherin at #Honeynet2025 in Prague as he unpacks a real-world campaign where attackers leveraged unpopular software to deceive analysts and spread a never-before-seen Python stealer. Expect live demos, open-source intel techniques, and deep insights into attacker tactics and threat hunting.

🗓️ June 2–4, 2025
🔗 https://prague2025.honeynet.org

#MalwareAnalysis #ThreatHunting #TI #TTPs

Our new report describes one of the latest observed infection chains (delivering #AsyncRAT) relying on the #Cloudflare tunnel infrastructure and the attacker’s #TTPs with a principal focus on detection opportunities.

https://blog.sekoia.io/detecting-multi-stage-infection-chains-madness/

Based on data from 15,000 companies, #ANYRUN's Q1 '25 Malware Trends Report offers insights into the most widespread #malware families, APTs, phishkits, #TTPs, and more 🚀

Save hours of research and improve your company's threat awareness https://any.run/cybersecurity-blog/malware-trends-q1-2025/?utm_source=twitter&utm_medium=post&utm_campaign=malware_trends_q1_25&utm_content=linktoblog&utm_term=160425