Tonnerre

Tonnerre is a custom second-stage espionage implant used by the Iranian threat actor Infy, also known as Prince of Persia. It is deployed after the Foudre downloader/profiler identifies a victim as high value, and is used for surveillance and data exfiltration from selected machines. Reporting describes Tonnerre as the heavier, more capable component of the Foudre/Tonnerre toolset, with multiple variants operating in parallel, including versions 12-18, 17, 50, and 51 (the latter also referred to as Tornado in some reporting).

Recent Tonnerre variants have evolved from older FTP-based exfiltration to Telegram-enabled command and control and data theft. Tonnerre v50 was observed in September 2025 and reportedly redirects victims to a Telegram group and bot, likely replacing older FTP-based exfiltration. The malware can use the Telegram API to send commands and retrieve victim data, and Telegram-based C2 is enabled only for select victims. SafeBreach reporting identified a Telegram group named "سرافراز" associated with this activity, with artifacts including a bot account and the user @ehsan8999100, and noted that Telegram group information was stored in a server-side file named tga.adr accessible only to specific victim GUIDs.

Tonnerre uses resilient C2 mechanisms. Multiple reports state that Infy runs at least three active Tonnerre variants in parallel using different DGAs. Tonnerre v17 uses the same DGA algorithm as Foudre v34 but with a different key prefix, FTS1. Broader reporting also states that Foudre and Tonnerre validate C2 domains using RSA signature files and public key cryptography, making sinkholing or C2 impersonation more difficult. Newer Tornado/Tonnerre variants reportedly support dual C2 over HTTP and Telegram, and one report states Tornado v51 also uses fixed names derived through blockchain-based domain deobfuscation in addition to a new DGA.

Observed infection chains place Tonnerre behind Foudre. Foudre is distributed via phishing emails and malicious Excel documents; more recent campaigns shifted from macro-laced Excel files to documents with embedded executables or self-extracting archives. Reporting also states the actor shifted initial access toward exploiting a WinRAR vulnerability, identified in sources as CVE-2025-8088 or CVE-2025-6218, to extract newer Tornado/Tonnerre-related payloads into Startup. Tonnerre has been associated with espionage campaigns targeting Iranian dissidents and regional government entities, with victims primarily in Iran and additional victims reported in Iraq, Turkey, India, Canada, and Europe.

Tonnerre is part of a broader Infy malware ecosystem that includes Foudre, MaxPinner, Amaq News Finder, Deep Freeze, and Rugissement. MaxPinner is described as a Telegram-focused spying trojan used in related campaigns. Operational reporting indicates Infy frequently rotates C2 servers, migrates valuable victims, deletes malware from low-value systems, and uses Telegram-based C2 to bypass defenses and adapt to Iranian internet restrictions. High-confidence infrastructure and operational details directly tied to Tonnerre in the reporting include Tonnerre v50/v51, Tonnerre v17, the FTS1 DGA prefix for v17, Telegram group "سرافراز," the user @ehsan8999100, and the tga.adr server-side artifact.