Cybersecurity

Iranian Wolves Took A Nap, Woke Up Cranky, And Now They're At The Fence Again

NeglectedSheep

2 min read
Iranian Wolves Took A Nap, Woke Up Cranky, And Now They're At The Fence Again

Oh good. They're back. I was really enjoying that brief window where the Infy wolves were offline because their entire country's internet went dark. I had almost started to feel something. Hope, maybe. Or that might have been the coffee finally working.

Anyway, that's over now.

For the uninitiated, the Infy crew is a persistent, state-linked pack of wolves that has been sniffing around various pastures for years. The Iranian internet blackout knocked them offline for a bit. But like a bad patch that never actually applied, they came right back.

And they came back with upgrades. Fantastic.

They're now running fresh command-and-control servers, which is just a fancy way of saying they built new dens to coordinate their attacks from. They're also using Telegram as part of their C2 infrastructure. Yes, Telegram. The app at least three of your Lambs definitely have on their work devices right now for "personal use." Go ahead and check. I'll wait.

The malware they're deploying is called Tornado, which honestly sounds like something a Shepherd would name a startup. It's not cute. It's a parasite, burrowing in and phoning home through channels that look like normal traffic. They're also exploiting old WinRAR vulnerabilities, which means somewhere in your flock, someone has not sheared their software in what I can only assume is geological time.

A WinRAR exploit. In this economy.

The delivery method is almost certainly some variation of fake grain. A lure document, a suspicious attachment, something that looked just official enough that a Lamb clicked it without a second of hesitation. They never hesitate. That's the thing. The wolves plan for weeks and the Lamb takes three seconds to undo all of it.

I'm fine. I'm totally fine.

Remediation

Look, here's what you do, and I'm only explaining this once because I have seventeen tickets open.

Block Telegram at the Electric Fence if your flock has no legitimate business reason for it, and they don't.

Shear your WinRAR installations immediately. Patch it, update it, or rip it out entirely. There is no version of "we'll get to it" that ends well here.

Hunt for any traffic talking to new or unrecognized external servers. The wolves built fresh dens, which means fresh infrastructure that your threat intel might not have flagged yet. Look for it anyway.

And please, for the love of all things holy, run another phishing simulation on the Lambs. They failed the last one. They'll fail this one too. But at least you'll have documentation when the Shepherds ask how this happened.

Staying grumpy so you don't have to.

Original Report: https://thehackernews.com/2026/02/infy-hackers-resume-operations-with-new.html