Iran-aligned BladedFeline spies on Iraqi and Kurdish officials, ESET Research discovers

• ESET researchers have revealed that Iran-aligned risk group BladedFeline focused Kurdish and Iraqi authorities officers with array of malicious instruments found inside their programs.
• ESET found and analyzed two reverse tunnels (Laret and Pinar), a backdoor (Whisper), a malicious IIS module (PrimeCache), and varied supplementary instruments.
• With high-confidence ESET Researchers assess that BladedFeline is a subgroup inside Iran-aligned OilRig, because the preliminary implants used there could be traced again to OilRig group.
• BladedFeline already compromised Kurdish diplomatic officers with the group’s Shahmaran signature backdoor in 2023.

MONTREAL and BRATISLAVA, Slovakia, June 05, 2025 (GLOBE NEWSWIRE) — The Iran-aligned risk group BladedFeline has focused Kurdish and Iraqi authorities officers in a current cyber-espionage marketing campaign, in accordance with ESET researchers. The group deployed a variety of malicious instruments found throughout the compromised programs, indicating a continued effort to take care of and broaden entry to high-ranking officers and authorities organizations in Iraq and the Kurdish area. The most recent marketing campaign highlights BladedFeline’s evolving capabilities, that includes two tunneling instruments (Laret and Pinar), varied supplementary instruments, and, most notably, a customized backdoor Whisper and a malicious Web Info Providers (IIS) module PrimeCache, each recognized and named by ESET.

Whisper logs right into a compromised webmail account on a Microsoft Change server and makes use of it to speak with the attackers by way of electronic mail attachments. PrimeCache additionally serves as a backdoor: it’s a malicious IIS module. PrimeCache additionally bears similarities to the RDAT backdoor utilized by OilRig Superior Persistent Risk (APT) group.

Primarily based on these code similarities, in addition to on additional proof introduced on this blogpost, ESET assesses that BladedFeline is a really doubtless subgroup of OilRig, an Iran-aligned APT group going after governments and companies within the Center East. The preliminary implants within the newest marketing campaign could be traced again to OilRig. These instruments mirror the group’s strategic concentrate on persistence and stealth inside focused networks.

BladedFeline has labored constantly to take care of illicit entry to Kurdish diplomatic officers, whereas concurrently exploiting a regional telecommunications supplier in Uzbekistan, and growing and sustaining entry to officers within the authorities of Iraq.

ESET Analysis assesses that BladedFeline is concentrating on the Kurdish and Iraqi governments for cyberespionage functions, with an eye fixed towards sustaining strategic entry to the computer systems of high-ranking officers in each governmental entities. The Kurdish diplomatic relationship with Western nations, coupled with the oil reserves within the Kurdistan area, makes it an attractive goal for Iran-aligned risk actors to spy on and doubtlessly manipulate. In Iraq, these risk actors are likely attempting to counter the affect of Western governments following the US invasion and occupation of the nation.

In 2023, ESET Analysis found that BladedFeline focused Kurdish diplomatic officers with the Shahmaran backdoor, and beforehand reported on its actions in ESET APT Exercise experiences. The group has been energetic since no less than 2017, when it compromised officers throughout the Kurdistan Regional Authorities, however shouldn’t be the one subgroup of OilRig that ESET Analysis is monitoring. ESET has been monitoring Lyceum, also referred to as HEXANE or Storm-0133, as one other OilRig subgroup. Lyceum focuses on concentrating on varied Israeli organizations, together with governmental and native governmental entities and organizations in healthcare.

ESET expects that BladedFeline will stick with implant improvement with a purpose to preserve and broaden entry inside its compromised sufferer set for cyberespionage.

For a extra detailed evaluation and technical breakdown of BladedFeline’s instruments utilized in Operation RoundPress, take a look at the most recent ESET Analysis blogpost “Whispering in the dark” on WeLiveSecurity.com. Be certain to comply with ESET Analysis on Twitter (today known as X), BlueSky, and Mastodon for the most recent information from ESET Analysis.

About ESET
ESET® gives cutting-edge digital safety to stop assaults earlier than they occur. By combining the ability of AI and human experience, ESET stays forward of rising world cyberthreats, each identified and unknown— securing companies, essential infrastructure, and people. Whether or not it’s endpoint, cloud, or cell safety, our AI-native, cloud-first options and providers stay extremely efficient and simple to make use of. ESET expertise consists of strong detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time protection and powerful native help, we preserve customers secure and companies operating with out interruption. The ever-evolving digital panorama calls for a progressive method to safety: ESET is dedicated to world-class analysis and highly effective risk intelligence, backed by R&D facilities and a robust world accomplice community. For extra info, go to http://www.eset.com or comply with our social media, podcasts and blogs.