Information about Prince of Persia: Infy malware

Attack campaigns that have very limited scope often remain hidden for years. If only a few malware samples are deployed, it’s less likely that security industry researchers will identify and connect them together.
In May 2015, Palo Alto Networks WildFire detected two e-mails carrying malicious documents from a genuine and compromised Israeli Gmail account, sent to an Israeli industrial organization. One e-mail carried a Microsoft PowerPoint file named “thanks.pps” (VirusTotal), the other a Microsoft Word document named “request.docx”.
Around the same time, WildFire also captured an e-mail containing a Word document (“hello.docx”) with an identical hash as the earlier Word document, this time sent to a U.S. Government recipient.
Based on various attributes of these files and the functionality of the malware they install, we have identified and collected over 40 variants of a previously unpublished malware family we call Infy, which has been involved in attacks stretching back to 2007. Attacks using this tool were still active as of April 2016.