![Telegram for the throne. [Research Saturday] - CyberWire Daily cover](/_next/image?url=https%3A%2F%2Fmegaphone.imgix.net%2Fpodcasts%2F04b8967a-0de1-11f1-ba55-27b4129a90a8%2Fimage%2F95b72a93c2ffaf8ff900d662a9bd3735.png%3Fixlib%3Drails-4.3.1%26max-w%3D3000%26max-h%3D3000%26fit%3Dcrop%26auto%3Dformat%2Ccompress&w=1200&q=75)
CyberWire Daily – Research Saturday
Episode: "Telegram for the throne."
Date: February 21, 2026
Host: Dave Bittner (A)
Guest: Tomer Bar (B), VP of Security Research at SafeBreach Labs
Topic: "Prince of Persia – A Decade of Iranian Nation State APT Campaign Activity under the Microscope"
Episode Overview
This episode explores over a decade of persistent cyber-espionage attributed to an Iranian nation-state group, detailed in SafeBreach Labs’ report "Prince of Persia." Tomer Bar, the report’s lead researcher, joins Dave Bittner to unpack the group’s advanced tactics, how it navigates evasion and persistence, and the dangers it poses to dissidents and opposition groups—most notably through the targeting of encrypted Telegram communications via sophisticated malware families.
Key Discussion Points & Insights
The Threat Group’s Longevity and Objectives
-
Persistence & Activity:
- The group has been active since 2007, remarkably maintaining similar tools and strategies over nearly 20 years.
- Quote: “It's very rare for a threat actor to be fully active for 20 years with almost the same tools and arsenal.” (01:23, B)
- Despite apparent dormancy at times, the group is likely continuously active, learning from past mistakes and improving operations security.
- Quote: “They learn a lot from previous mistakes and takedowns … every time, they came back with a new and better arsenal.” (04:05, B)
- The group has been active since 2007, remarkably maintaining similar tools and strategies over nearly 20 years.
-
Targeting Focus:
- The Iranian-linked group primarily targets individuals and entities considered antagonistic to the Islamic Republic—particularly dissidents—aiming for surveillance and intelligence gathering.
- Encrypted messaging platforms like Telegram are explicitly targeted; malware can intercept communications once endpoints are infected, bypassing encryption protections.
- Quote: “If those people communicate through Telegram … they have a specific malware that targets Telegram traffic.” (02:39, B)
- The Iranian-linked group primarily targets individuals and entities considered antagonistic to the Islamic Republic—particularly dissidents—aiming for surveillance and intelligence gathering.
Tactics, Infrastructure & Evasion
- Sophistication and Adaptation:
- Early C2 (command and control) operations embedded static URLs in malware, but post-2016 takedowns prompted significant upgrades.
- The group adopted DGAs (domain generation algorithms) to rotate C2 domains, complicating researcher and law enforcement disruption.
- Quote: “They use a concept called DGA … they can calculate 100 different domain names … and it changes every week.” (06:55, B)
- Additional C2 server verification checks require the correct private key for trust, thwarting researchers attempting sinkholes or takedowns.
- Quote: “Only if I have in my possession the private key … then the malware trusts the command and control server. If not, it will continue to the next server from the list.” (07:52, B)
- Early C2 (command and control) operations embedded static URLs in malware, but post-2016 takedowns prompted significant upgrades.
Malware Arsenal & Attack Chains
Main Malware Families and Social Engineering Tactics
-
Multi-stage Attack Chain:
- Phishing Emails & Weaponized Documents:
- Attack often starts with phishing emails containing Office documents with malicious macros.
- Initial Access & Reconnaissance (“Fouger”):
- The first-stage malware masquerades as French software—named “Fouger” (“lightning” in French and English)—to conduct basic system recon and log keystrokes.
- Quote: “[It] first gather[s] information that can classify if this machine belongs to the targeted victim that they expected to target... and also installed a keystroke logger.” (12:10, B)
- Full-featured Surveillance (“Tonner”):
- If the victim proves valuable, “Tonner” (“thunder”) is deployed for comprehensive espionage: harvesting files, screenshots (every five minutes), microphone access, real-time command execution.
- Quote: “… they can enable [a] model that will allow them to capture the microphone so they can listen to what is speaking in the room … that is infected.” (14:03, B)
- Phishing Emails & Weaponized Documents:
-
Alternate Attack Paths:
- Trojanized Programs:
- Fake or malicious installers for legitimate utilities, such as Deep Freeze, and fake news apps (e.g., “AMAC News,” an ISIS-linked news outlet), trick victims into self-infection.
- Purpose-built “news finder software” targets victims interested in specific geopolitical news.
- Quote: “They developed from scratch a program masquerading as a news software … once you use this software, you were also infected…” (15:46, B)
- Trojanized Programs:
Attribution Evidence and Confidence
- Linguistic and Technical Clues:
- Persian language elements and user handles in infrastructure.
- Geographic Control:
- Post-2016, Iran’s government performed DNS changes to restore access to victims within its borders—proving privileged access only the state could possess.
- Quote: “The only one who have access to this network, the DNS servers in Iran, are the Iranian government.” (17:37, B)
- Post-2016, Iran’s government performed DNS changes to restore access to victims within its borders—proving privileged access only the state could possess.
- Broader Consensus:
- Confirmation aligns with previous independent research.
Defensive Recommendations for Organizations & Individuals
- Indicators of Compromise:
- SafeBreach Labs published IOCs to aid detection.
- Practical Steps:
- Search enterprise environments using shared IOCs.
- Individuals can upload suspicious files to VirusTotal.
- Promote awareness: Be skeptical of email links and attachments from unknown sources.
- Maintain up-to-date antivirus and operating systems.
- Quote: “It all starts from awareness. … Don’t click on links that [are] unknown or suspicious. … Make sure your antivirus is installed and up to date and you’re using the latest operating system versions.” (19:13, B)
Notable Quotes
- “It's very rare for a threat actor to be fully active for 20 years with almost the same tools and arsenal.” (01:23, B)
- “Once I have at least one thing which is an anchor, I regain visibility into their military activity. Until the next time.” (01:50, B)
- “They use a concept called DGA … they can calculate 100 different domain names for the command and control servers and it change[s] every week…” (06:55, B)
- “The thunder comes after the lightning in nature and also in this attack. And this is a full surveillance tool. … It include[s] very sophisticated capabilities…” (13:34, B)
- “The only one who have access to this network, the DNS servers in Iran, are the Iranian government.” (17:37, B)
- “It all starts from awareness. … Don’t click on links that [are] unknown or suspicious. … Make sure your antivirus is installed and up to date…” (19:13, B)
Key Timestamps
- Introduction & Threat Group Overview: 01:23–02:39
- Group Persistence and Tactics: 03:53–05:16
- C2 Infrastructure and Evasion: 05:26–08:52
- Malware Families & Attack Chain: 11:30–16:59
- Attribution and Confidence: 16:59–18:34
- Defensive Recommendations: 18:34–20:35
Summary
This episode delivers an in-depth look at a prominent Iranian cyber-espionage APT group’s advanced, adaptive operations over nearly two decades, pinpointing how it sidesteps detection, innovates post-takedown, and employs sophisticated multi-stage malware for intelligence gathering. Listeners gain clear insights into both the hazards for opposition groups and actionable tips for defending against similar threats.