Skip to main content
Mallory
Back to malware
MalwareUsed by 1 actor

ZZ Stealer

ZZ Stealer is an infostealer observed in reporting on Iranian threat activity, particularly in correlation with the state-sponsored actor Infy (also known as Prince of Persia). It was described as part of an expanded toolkit that also included commodity malware such as Remcos RAT, Stealerium, and StormKitty. SafeBreach reported a two-stage attack in which ZZ Stealer loads a custom variant of the StormKitty infostealer. Separate reporting also stated that ZZ Stealer was found in a malicious package targeting the Python Package Index (PyPI), and SafeBreach noted similarities between this activity and a 2024 open-source Python library compromise documented by Checkmarx. High-confidence details in the provided content do not specify ZZ Stealer’s full collection scope or persistence mechanisms, but it is explicitly characterized as an infostealer and linked to malicious package delivery and follow-on loading of customized StormKitty payloads. The content associates it with Iranian cyber activity through its reported correlation with Infy operations.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Prince of Persia

The expanded toolkit in this phase incorporated commodity tools such as Remcos RAT, Stealerium, StormKitty, and ZZ Stealer...

via trellix blogtrellix.com
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
trellix blogNews
Mar 2, 2026
The Iranian Cyber Capability 2026

Commodity information stealer used by Infy during its broadened campaign phase.

Read more
scworldNews
Feb 6, 2026
Iranian Infy APT evolves tactics, leverages Telegram for C2 | SC Media

An infostealer correlated with Infy activity and also observed distributed via a malicious PyPI package (software supply-chain delivery).

Read more
safebreach blogNews
Feb 4, 2026
An Update on the Prince of Persia Threat Actor | SafeBreach

.NET first-stage infostealer/loader with anti-analysis checks; collects environment data, screenshots, and desktop files; exfiltrates to an HTTP PHP endpoint and can update itself. On command ("8==3"), it downloads and decrypts an encrypted second-stage payload (RC4 key "c0d3W1thMy8==3"), observed loading a fork/variant of StormKitty; older variants also delivered Metasploit payloads or StormKitty variants.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.