Cybersecurity experts from ESET have recently uncovered a sophisticated cyber-espionage campaign carried out by the Iran-aligned threat group BladedFeline. This group has been targeting Kurdish and Iraqi government officials, utilizing a variety of malicious tools that were discovered within the compromised systems. The discovery of these tools sheds light on BladedFeline’s ongoing efforts to gain and maintain access to sensitive government organizations in the region.
Among the tools identified by ESET researchers are two reverse tunnels, named Laret and Pinar, a backdoor known as Whisper, a malicious IIS module called PrimeCache, and several supplementary tools. Whisper is particularly notable as it is designed to log into compromised webmail accounts on Microsoft Exchange servers, allowing the attackers to communicate with their targets via email attachments. PrimeCache, on the other hand, functions as a backdoor by exploiting vulnerabilities in the IIS web server. Interestingly, PrimeCache bears similarities to the RDAT backdoor previously associated with the OilRig APT group, further suggesting a connection between BladedFeline and OilRig.
Based on the code similarities and other evidence gathered, ESET researchers have concluded with high confidence that BladedFeline is likely a subgroup within the larger OilRig organization. This assessment is further supported by the fact that the initial implants used in the campaign can be traced back to OilRig. The tools and tactics employed by BladedFeline indicate a strategic focus on persistence and stealth within the networks of their targets.
BladedFeline has demonstrated a consistent interest in targeting Kurdish diplomatic officials, as well as exploiting a telecommunications provider in Uzbekistan and maintaining access to Iraqi government officials. The group’s activities suggest a broader strategy of cyberespionage aimed at maintaining strategic access to high-ranking officials in both the Kurdish and Iraqi governments. The geopolitical significance of these regions, particularly in terms of diplomatic relationships and natural resources, makes them attractive targets for threat actors aligned with Iran.
In a previous incident in 2023, ESET researchers discovered that BladedFeline had compromised Kurdish diplomatic officials using the Shahmaran backdoor. The group has been active since at least 2017, targeting officials within the Kurdistan Regional Government. ESET is also monitoring other subgroups of OilRig, such as Lyceum, which focuses on targeting Israeli organizations.
Looking ahead, ESET expects BladedFeline to continue developing new implants and tactics to maintain and expand their access to compromised networks for cyberespionage purposes. For a more in-depth analysis of BladedFeline’s tools and operations, readers are encouraged to visit the ESET Research blog. Stay up to date with the latest news from ESET Research by following them on Twitter, BlueSky, and Mastodon.
In conclusion, the discovery of BladedFeline’s activities underscores the ongoing threat posed by sophisticated cyber-espionage groups targeting government entities in the Middle East. Organizations and individuals must remain vigilant and implement robust cybersecurity measures to protect against such threats.