Indy and Tornado: the Iranian blackout that reveals a hybrid C2 driven by DGA, blockchain and Telegram

In recent weeks we have seen a persistent and relatively discreet actor in Iranian cyberspace, known as Indy (also referred to as Prince of Persia), change his way of operating to better cover his tracks while reconstituting his command and control infrastructure. The striking is not only the technical adjustment, but the synchronization with the massive Internet blackout that the Iranian government imposed at the beginning of the month, a temporary coordinate that helps to understand the state's reach behind these operations. To put it in context, international media reported on this widespread connectivity cut in the country, which affected both citizens and the activity of local actors on the network ( BBC).

Researchers at the firm SafeBreach documented that for the first time, Indy stopped keeping his C2 servers on January 8, a date that coincides with the start of the blackout. This silence was not indefinite: the group resumed activity at the end of January, deploying new domains and servers one day before the Internet restrictions within Iran were relieved. This time pattern provides evidence that supports the state support or coordination hypothesis behind this group, something security analysts have been tracking for years ( SafeBreach report).

Indy is not a new threat: it has been operating since the early 2000's and has specialized in espionage and exfiltration campaigns targeting specific people rather than mass operations. Its technical evolution in recent months deserves attention: the tools called Foudre and Tonnerre have received constant updates, and the latest - a variant called Tornado - incorporates hybrid communication mechanisms that combine HTTP with the Telegram API to receive orders and exfilter data.

One of the most sophisticated news is how they generate and resolve domain names for their command and control servers. Tornado uses two methods: a DGA (Domain Generation Algorithm) algorithm to produce dynamic names and, in addition, a mechanism that recovers "fixed" names from data stored in a block chain, a technique that allows to change the C2 infrastructure without changing the malware code. This type of flexibility complicates the work of the defenses because it reduces reliance on traditional domain records and increases the resilience of the attacker's network ( SafeBreach).

In parallel, operators exploited a day-one vulnerability in WinRAR to distribute a specially designed RAR file that, once executed on the victim machine, uncovers an SFX file containing the Tornado backdoor core (among other components). That installer checks the presence of certain antivirus and, if you do not detect a specific one, creates a scheduled task to achieve persistence and launches the DLL that acts as a back door. The use of this delivery vector shows a clear intention to increase commitment rates by operating software widely installed in desktop environments.

A curious piece of the puzzle is Telegram's dependence as a control channel. In previous versions, Tonnerre and Tornado relied on a bot and a private group to send and receive instructions without the bot having permission to read the group's conversations, suggesting a deliberate use of the platform's limitations to hide telemetry. Researchers managed to extract messages from that private community and with them they recovered exfiltered files and commands, which allowed for the reconstruction of attack chains and the attribution of certain burdens to the actor. To better understand how the attackers use Telegram bots for criminal purposes, you can see the analysis of Forcepoint on the abuse of that platform ( Forcepoint) as well as analytical work on how response teams have been able to recover content from these channels ( Checkmarx).

Among the artifacts detected is ZZ Stealer, an infostealer that acts as the first stage: it collects data from the environment, makes screenshots and exfilters desktop files, and in a specific order downloads and runs a second more powerful stage. Part of the exfiltered material and infrastructure observed have a technical relationship with known malware variants such as StormKitty, whose code and variants can be publicly reviewed in analysis repositories and open source projects ( StormKitty in GitHub), and a relationship has been observed with package repository campaigns (PyPI) that used malicious package names to spread a ZZ Stealer installer, a form of supply chain attack directed at developers and automated systems.

On attribution, there are technical signs that point to links between Info and other Iranian operations, although some correlations are weaker than others. For example, the use of ZIP files and accesses through direct Windows accesses (LNK) and certain PowerShell routines recall tactics observed in actors such as Charming Kitten, but the convergence of tools does not amount to unique identity: in cyberspace the techniques are replicated and adapted.

What teaching should defensive teams draw? First, the need to monitor non-conventional C2 channels as messaging services offered by public APIs. Traditional defences focused only on IP blocks or domain filtering are insufficient when the adversary blends DGA, blockchain data and messaging platforms. Second, protection against compressed file vectors remains critical: keeping decompression software up-to-date and implementing policies that prevent the automatic execution of SFX and other executables contained in downloaded files reduces risk. Finally, detecting abnormal behaviors - creating programmed tasks, unusual DLL loads, HTTP traffic to newly registered domains, or communications to Telegram API from processes that should not - offers valuable early signals to block these attacks.

Technical reports and data sets shared by firms such as SafeBreach, and complementary analyses available in the community, are essential resources for understanding the physiology of these campaigns and for updating rules and detections. For those who want to go into the above-mentioned research, read SafeBreach's report on Info ( SafeBreach), Checkmark's analysis of the extraction of data from private channels and PyPI campaigns ( Checkmarx), and documentation on the abuse of bots in Telegram by Forcepoint ( Forcepoint), in addition to public material on families of related infostealers ( StormKitty).

In short, the evolution of Indy is a reminder that state-supported groups combine technical sophistication, knowledge of public platforms and political synchronization to maximize impact and persistence. The defense requires not only technology, but up-to-date intelligence, collaboration between response teams and organizational policies that reduce the surface of attack against these increasingly small and adaptive tactics.