CyberSecurity news
FlagThis
@therecord.media
//
ESET researchers have revealed a long-running cyber espionage campaign conducted by an Iranian APT group named BladedFeline. The group has been actively targeting government and telecom networks in Kurdistan, Iraq, and Uzbekistan since at least 2017. BladedFeline is believed to be a subgroup of OilRig, a well-documented Iranian state-backed actor, and has managed to stay undetected within these networks for approximately eight years, continually expanding its cyber espionage capabilities.
BladedFeline utilizes a variety of malicious tools for maintaining and expanding access within targeted organizations. Notable malware includes Shahmaran, a simple backdoor used against Kurdish diplomatic officials, and more sophisticated tools like Whisper and PrimeCache. Whisper communicates with attackers through email attachments sent via compromised Microsoft Exchange webmail accounts, while PrimeCache bears similarities to RDAT, a backdoor previously associated with OilRig. Researchers suggest that BladedFeline may have initially gained access to Iraqi government systems by exploiting vulnerabilities in internet-facing servers, using a webshell called Flog to maintain control.
The group's targeting reflects Iran's strategic interests in the Middle East. The Kurdistan Regional Government's diplomatic relationships and oil reserves make it an attractive target for espionage, while the focus on Iraqi governmental circles suggests an attempt to counter Western influence. ESET warns that BladedFeline is likely to continue developing its malware arsenal to retain access to compromised systems for cyber espionage purposes. The discovery highlights the persistent threat posed by Iranian APT groups and the need for robust cybersecurity measures to protect critical infrastructure and sensitive government data.
ImgSrc: cms.therecord.m
References :
BladedFeline utilizes a variety of malicious tools for maintaining and expanding access within targeted organizations. Notable malware includes Shahmaran, a simple backdoor used against Kurdish diplomatic officials, and more sophisticated tools like Whisper and PrimeCache. Whisper communicates with attackers through email attachments sent via compromised Microsoft Exchange webmail accounts, while PrimeCache bears similarities to RDAT, a backdoor previously associated with OilRig. Researchers suggest that BladedFeline may have initially gained access to Iraqi government systems by exploiting vulnerabilities in internet-facing servers, using a webshell called Flog to maintain control.
The group's targeting reflects Iran's strategic interests in the Middle East. The Kurdistan Regional Government's diplomatic relationships and oil reserves make it an attractive target for espionage, while the focus on Iraqi governmental circles suggests an attempt to counter Western influence. ESET warns that BladedFeline is likely to continue developing its malware arsenal to retain access to compromised systems for cyber espionage purposes. The discovery highlights the persistent threat posed by Iranian APT groups and the need for robust cybersecurity measures to protect critical infrastructure and sensitive government data.
ImgSrc: cms.therecord.m
Share:
References :
- cyberpress.org: Iranian APT ‘BladedFeline’ Stays Undetected in Networks for 8 Years
- The Hacker News: Iran-Linked BladedFeline Hits Iraqi and Kurdish Targets with Whisper and Spearal Malware
- therecord.media: Iran-linked hackers target Kurdish, Iraq cyber espionage
- Cyber Security News: Iranian APT ‘BladedFeline’ Stays Undetected in Networks for 8 Years
- Catalin Cimpanu: -New Imn Crew ransomware gang -Malware reports on ViperSoftX, Play ransomware, Chaos RAT -PathWiper destructive attacks hit Ukraine -UNC1151 targets Roundcube servers in Poland -Bitter APT formally linked to India -BladedFeline APT (aka Oilrig) op targets Iraq -OpenAI disrupts APTs and info-ops abusing ChatGPT -New Roundcube under attack -Cellebrite buys Corellium -OWASP Top 10 for Business Logic Abuse -YARA-X reaches v1.0
- www.welivesecurity.com: ESET researchers analyse a cyberespionage campaign conducted by BladedFeline, an Iran-aligned APT group with likely ties to OilRig. The group added 2 reverse tunnels (Laret & Pinar), a backdoor (Whisper), a malicious IIS module (PrimeCache) & various tools
- www.scworld.com: Multi-year cyberespionage campaign launched by BladedFeline APT
- WeLiveSecurity: BladedFeline: Whispering in the dark
- The Record: Researchers at ESET describe the activities of an Iran-linked group that has been operating since at least 2017, initially breaching systems belonging to the Kurdistan Regional Government and expanding its reach to the Central Government of Iraq as well as a telecommunications provider in Uzbekistan.
- ciso2ciso.com: Iran-Linked BladedFeline Hits Iraqi and Kurdish Targets with Whisper and Spearal Malware – Source:thehackernews.com
- ciso2ciso.com: Iran-Linked BladedFeline Hits Iraqi and Kurdish Targets with Whisper and Spearal Malware – Source:thehackernews.com
- ESET Research: analyzed a campaign deployed by BladedFeline, an Iran-aligned threat actor with likely ties to . We discovered the campaign, which targeted Kurdish and Iraqi government officials, in 2024.
- github.com: analyzed a campaign deployed by BladedFeline, an Iran-aligned threat actor with likely ties to . We discovered the campaign, which targeted Kurdish and Iraqi government officials, in 2024.
Classification:
- HashTags: #APT #CyberEspionage #Iran
- Company: ESET
- Target: Kurdistan, Iraq, Uzbekistan
- Attacker: BladedFeline
- Product: ESET
- Feature: Cyber Espionage
- Malware: Whisper
- Type: Espionage
- Severity: Major