A sophisticated and long-running cyber-espionage campaign, attributed to an Iran-aligned threat group known as “BladedFeline,” has been observed targeting government entities in Iraq and the Kurdistan Regional Government (KRG), according to new research by cybersecurity firm ESET. Since its initial activities in 2017, BladedFeline has significantly evolved its toolset and operational tactics, posing a persistent threat to sensitive government operations in the region.
Origins and Strategic Alignment
BladedFeline is believed to be a subgroup of the well-documented OilRig (APT34) collective, which is closely aligned with Iranian intelligence interests. The group first emerged in 2017, targeting senior officials within the KRG. Over time, its operations have expanded to include a broader range of governmental and diplomatic targets across Iraq. Security analysts assess that BladedFeline’s campaigns are designed to support Iranian strategic objectives, particularly in countering Western influence and gathering intelligence on regional political and economic developments.
Target Profile
The primary victims of BladedFeline’s campaigns include Kurdish and Iraqi government officials, diplomatic envoys, and high-ranking members of both the KRG and the Government of Iraq (GOI). The group has also targeted telecommunications providers and, on occasion, organizations in neighboring countries. This targeting reflects a clear focus on entities that hold valuable intelligence and exert significant influence over regional affairs.
Evolution of the Toolset
ESET’s research highlights BladedFeline’s continuous innovation in its cyber arsenal. The group employs a diverse array of custom backdoors, web shells, and tunneling tools to maintain covert, long-term access to compromised networks. Notable tools include:
- Shahmaran: A straightforward backdoor first observed in 2023, used to execute operator commands, transfer files, and manipulate file systems on infected hosts.
- Whisper: A custom backdoor leveraging compromised Microsoft Exchange webmail accounts, using email attachments for command-and-control communications.
- PrimeCache: A malicious IIS module functioning as a passive backdoor, related to OilRig’s RDAT backdoor, allowing for stealthy persistence.
- Laret & Pinar: Reverse tunneling tools that facilitate covert access and lateral movement within targeted environments.
- Flog and Hawking Listener: Early-stage implants and web shells for initial access and command execution.
- Spearal & Optimizer: .NET-based backdoors that use DNS tunneling to evade detection and maintain secure communications with command servers.
Tactics and Persistence
BladedFeline typically gains initial access by exploiting vulnerabilities in internet-facing applications, though specific vectors are not always clear. Once inside a network, the group employs a combination of custom malware, web shells, and tunneling utilities to maintain persistence and avoid detection. Their use of legitimate credentials and blending of malicious traffic with normal network activity further complicates efforts to identify and remove their presence.
Geopolitical Motivation
The geopolitical context of BladedFeline’s operations is significant. The KRG’s diplomatic relationships with Western nations and its control over substantial oil reserves make it a strategic target for Iranian intelligence. In Iraq, the campaign appears aimed at monitoring and influencing political dynamics, ensuring that Iranian interests are safeguarded in a region marked by complex alliances and rivalries.
