Foudre

Foudre is a custom first-stage malware family used by the Iranian threat actor Infy, also known as Prince of Persia. It has been active in campaigns observed since 2017 and remains in use in updated variants alongside Tonnerre, which it can download and execute as a second-stage implant for deeper espionage, surveillance, and data exfiltration. Foudre functions primarily as a lightweight downloader, reconnaissance tool, and victim profiler: it collects basic system information, maps victim identity, and helps operators decide whether a target is valuable enough to receive Tonnerre. Reporting describes it as a “scout” or triage implant, and notes that operators may remove it from lower-value victims while escalating selected targets.

Observed infection vectors include phishing emails, malicious or fake Microsoft Excel files, ZIP archives, and Excel documents containing embedded executables or self-extracting archives. In some campaigns, execution dropped a self-extracting archive that silently installed the Foudre backdoor; examples include fake Excel lures and archives such as Notable Martyrs.zip. Recent reporting also states that Infy shifted some initial access to exploitation of a WinRAR vulnerability to extract newer related payloads into Startup, though that reporting is tied more directly to Tornado/Tonnerre evolution than to Foudre alone.

Foudre has evolved substantially over time. Recent variants include Foudre v34 and other active versions operating in parallel with different DGAs. The malware uses domain generation algorithms for command-and-control resilience, and reporting states that Foudre can generate candidate C2 domains and validate them using RSA signature verification, preventing easy sinkholing or impersonation of C2 infrastructure without the actor’s private key. Newer campaigns also leveraged Telegram-backed C2 infrastructure, and Infy was observed sustaining Foudre and Tonnerre operations with Telegram-based C2 targeting Iranian dissidents and regional government entities. SafeBreach reported at least three active Foudre/Tonnerre variants in parallel, with rotating C2 servers, new DGA domains, deletion of communication logs, redaction of victim IPs to 0.0.0.0 in exfiltration filenames, and selective victim handling.

Foudre has been associated with espionage targeting Iranian dissidents, journalists, diplomats, civil society, and regional government entities, with most victims reportedly in Iran and additional victims in Iraq, Turkey, India, Canada, and Europe. It has also appeared in layered Infy toolsets alongside Tonnerre, MaxPinner, Amaq News Finder, Deep Freeze, and Rugissement. High-confidence behavioral details directly mentioned in the source include basic system profiling, staged delivery of Tonnerre, use of DGAs, RSA-based C2 validation, phishing/document-based delivery, and use in Telegram-enabled C2 ecosystems operated by Infy/Prince of Persia.