Infy Hackers Relaunch Cyberattacks Using New C2 Servers After Iran Blackout

In the wake of a major communications disruption in Iran, threat researchers have observed the Infy hacking group resurfacing with renewed activity—this time leaning on a refreshed command-and-control (C2) infrastructure to regain operational momentum. The group’s rapid pivot highlights a recurring pattern in modern cyber operations: when internet access is unstable or state networks clamp down, well-resourced actors adapt quickly by rotating servers, changing domains, and retooling malware delivery methods.

This post breaks down what’s happening, why C2 infrastructure matters, how the Infy group typically operates, and what organizations should do to harden defenses against similar campaigns.

What Happened: A Return to Activity After the Blackout

Iran has periodically experienced regional or nationwide internet disruptions—sometimes described as blackouts—driven by political events, public safety incidents, or infrastructure challenges. These disruptions can interrupt cybercriminal operations that rely on stable connectivity, particularly those that depend on persistent C2 communications to control infected machines, exfiltrate data, or deploy additional payloads.

Following the latest disruption, researchers report that Infy-associated operators re-established their C2 presence using newly provisioned servers. In practice, that means compromised systems that had lost contact with prior C2 endpoints may be reactivated once malware updates its configuration or once victims are newly compromised via refreshed phishing and delivery channels.

Why a New C2 Matters

C2 servers function as the home base for many targeted cyber campaigns. They allow attackers to:

• Send commands to infected machines (run scripts, move laterally, deploy tools)
• Receive stolen information (credentials, files, browser data, screenshots)
• Maintain persistence and update malware configurations
• Coordinate multi-stage attacks without redeploying from scratch

When a C2 domain or server is identified and taken down—or becomes unreachable because of network disruptions—attackers often respond by rotating infrastructure. This can include new IP addresses, new hosting providers, new domains, or new redirector layers intended to obscure the true controller.

Who Are the Infy Hackers?

Infy is the name often used to describe a long-running cluster of activity linked in public reporting to targeted espionage-style operations. While different reports may vary in attribution confidence, the broader pattern remains consistent: these actors tend to use phishing-based initial access, followed by malware families and tooling designed to collect information and maintain long-term access.

Infy campaigns historically have shown interest in regional targets and strategic intelligence collection. As with many advanced threat clusters, the group’s tactics can shift depending on the environment—especially when network conditions change.

Common Traits Seen in Similar Campaigns

Although each wave can differ, threat analysts frequently observe recurring tradecraft in groups like Infy:

• Social engineering via email, messaging apps, or fake login pages
• Payload staging (small downloader first, then larger toolset later)
• Redundant C2 paths using multiple domains and fallback servers
• Operational security (OPSEC) steps such as domain rotation and short-lived infrastructure

The relaunch described here aligns with a broader industry trend: adversaries treat infrastructure as disposable, and resilient groups assume that some servers will be blocked, sinkholed, or lost.

How C2 Rotation Works After a Disruption

A blackout—or any large-scale network instability—can break the attacker’s ability to interact with victims. But it also forces defenders and researchers to re-check assumptions: old indicators of compromise (IOCs) may become stale quickly when that infrastructure is replaced.

Here are a few ways attackers typically come back online with new C2 after a disruption:

1) New Domains and Fast Infrastructure Provisioning

Attackers can register new domains quickly, often using privacy services, and spin up servers on commodity hosting platforms. Some campaigns rely on domain generation techniques or frequently updated configurations so compromised machines can find the latest C2.

2) Redirectors and Layered Routing

Rather than exposing the true C2 server directly, operators may place redirector servers in front. This helps them:

• Change the backend C2 without changing the public-facing endpoint
• Filter who can reach the real C2 (only infected hosts)
• Reduce the risk of takedowns by isolating critical infrastructure

3) Repacking Malware or Updating Configuration

If defenders have signatures for a specific binary, attackers may recompile or “repack” it. Even minor changes can alter file hashes and complicate detection that relies only on static indicators. In some cases, malware can pull a remote configuration that includes the current C2 list—meaning the actor only needs to update a server-side file rather than redeploy a new payload.

Why This Matters for Defenders and Organizations

The key lesson from Infy’s apparent resurgence is not simply that a single group has returned—it’s that disruptions do not end campaigns. They often cause a temporary pause followed by a retooling period, after which operations resume with improved stealth.

For organizations, especially those with users or operations connected to regions experiencing instability, the risk profile can shift quickly:

• Threat actors may exploit confusion during outages with time-sensitive lures
• Security monitoring gaps can occur if logging or telemetry is affected
• Incident response timelines may lengthen when connectivity is unreliable

Indicators, Detection, and Practical Defensive Steps

Because new C2 infrastructure can change rapidly, focusing solely on blocking known domains is not enough. A stronger approach is to combine behavioral detection, hardened identity controls, and endpoint visibility.

Improve Email and Phishing Resistance

• Enforce DMARC, DKIM, and SPF to reduce spoofing
• Use attachment sandboxing and link detonation for inbound messages
• Train users to verify unexpected urgent requests, especially during disruptions

Harden Identity and Access

• Require multi-factor authentication (MFA) (prefer phishing-resistant methods where possible)
• Monitor for suspicious logins (impossible travel, new devices, unusual IP ranges)
• Apply least privilege and review access to sensitive mailboxes and shared drives

Strengthen Endpoint Detection and Response (EDR)

• Alert on suspicious process chains (Office/Browser → script engine → network beaconing)
• Detect credential dumping attempts and LSASS access anomalies
• Watch for persistence mechanisms (scheduled tasks, registry run keys, services)

Monitor Network Behavior Instead of Only IOCs

Even when C2 IPs rotate, the underlying behaviors often remain detectable. Consider:

• Analyzing beaconing patterns (regular intervals, small outbound requests)
• Flagging unusual TLS fingerprints or rare user-agent strings
• Inspecting DNS for high-risk patterns (newly registered domains, odd subdomains)

Incident Response: What to Do If You Suspect Infy-Style Activity

If you suspect a targeted intrusion with changing C2 infrastructure, prioritize speed and containment:

• Isolate affected endpoints from the network while preserving forensic evidence
• Reset credentials for impacted accounts and investigate lateral movement
• Collect logs from endpoints, email gateways, and identity providers
• Hunt for persistence and confirm whether any scheduled tasks/services were added
• Block outbound traffic to suspicious destinations while you validate business impact

Where possible, integrate threat intelligence into your SIEM, but treat it as a supplement—not the sole control. Rapid infrastructure turnover means yesterday’s IOC list can miss today’s active C2.

Conclusion: Infrastructure Is Disposable, Preparedness Isn’t

The apparent relaunch of Infy operations using new C2 servers after an Iran blackout underscores a reality defenders face daily: attackers can lose infrastructure and return quickly, often with improved evasion. The most effective defensive posture combines layered controls—email security, identity hardening, endpoint monitoring, and network analytics—so that even when adversaries rotate domains and servers, their behaviors still trigger alarms.

In an environment where disruptions can accelerate both attacker innovation and defender blind spots, resilience comes from fundamentals: visibility, least privilege, rapid containment, and rehearsed incident response.