Security News > 2021 > February > Old Iranian Spying Operation Resumes After Long Break
Following a two-year downtime, an Iran-linked cyberespionage operation has recommenced with new second-stage malware and with an updated variant of the Infy malware, according to joint research conducted by cybersecurity firms SafeBreach and Check Point.
Evidence suggests the operation started as early as 2007 - it was one of the earliest Iranian campaigns discovered - but it was initially detailed in 2016, while the next year it also involved the use of a piece of malware called Foudre, which by 2018 had already been updated eight times.
Following a quiet period, the operation recommenced during the first half of 2020, with new versions of Foudre and new lure documents that were designed to execute the malicious code when closed.
Once executed, Foudre connects to the command and control server and fetches a new piece of malware, called Tonnerre.
The malware uses a DGA to connect to the C&C, which it then uses to store data about the victim, steal files, download updates, and get an additional C&C. Tonnerre uses both HTTP and FTP to communicate with the C&C server.
Check Point last week reported that more than 1,200 Iranian citizens had been targeted in extensive cyber-surveillance operations backed by the Iranian government.