Iran-Aligned BladedFeline Conducts Long-Term Cyberespionage on Kurdish, Iraqi Officials

ESET researchers have uncovered a long-running cyber-espionage campaign by BladedFeline, an Iran-aligned advanced persistent threat group likely linked to OilRig, targeting Kurdish and Iraqi government officials since at least 2017. The group utilizes a sophisticated toolkit including backdoors like Shahmaran and Whisper, tunneling tools Laret and Pinar, and a malicious IIS module called PrimeCache, which facilitate stealthy and persistent access to sensitive networks. BladedFeline's operations focus on the Kurdistan Regional Government due to its diplomatic ties with Western nations and strategic oil reserves, and have expanded to Iraq’s central government and a telecommunications provider in Uzbekistan. The group maintains communication through compromised Microsoft Exchange webmail accounts to avoid detection and exploits vulnerabilities in internet-facing web servers, using web shells such as Flog to sustain control. ESET assesses with high confidence that BladedFeline is a subgroup of OilRig, reflecting Iran's ongoing strategic cyber activities in the Middle East to gather intelligence and potentially support repression of Kurdish dissidents. The campaign’s persistence, spanning nearly a decade, underscores the importance of advanced network monitoring and behavioral analysis to detect such covert espionage operations.