An Iran-aligned hacking group has been attributed to a new set of cyber attacks targeting Kurdish and Iraqi government officials in early 2024.
The activity is tied to a threat group ESET tracks as BladedFeline, which is assessed with medium confidence to be a sub-cluster within OilRig, a known Iranian nation-state cyber actor. It’s said to be active since September 2017, when it targeted officials associated with the Kurdistan Regional Government (KRG).
“This group develops malware for maintaining and expanding access within organizations in Iraq and the KRG,” the Slovak cybersecurity company said in a technical report shared with The Hacker News.
“BladedFeline has worked consistently to maintain illicit access to Kurdish diplomatic officials, while simultaneously exploiting a regional telecommunications provider in Uzbekistan, and developing and maintaining access to officials in the government of Iraq.”
BladedFeline was first documented by ESET in May 2024 as part of its APT Activity Report Q4 2023–Q1 2024, detailing the adversary’s attack on a governmental organization from the Kurdistan region of Iraq and its targeting of the Uzbekistan telecom provider that may have been compromised as early as May 2022.
The group was discovered in 2023 following attacks aimed at Kurdish diplomatic officials with Shahmaran, a simple backdoor that checks in with a remote server and executes any operator-provided commands on the infected host to upload or download files, request specific file attributes, and provide a file and directory manipulation API.
Then last November, the cybersecurity firm said it observed the hacking crew orchestrating attacks against Iran’s neighbors, particularly regional and government entities in Iraq and diplomatic envoys from Iraq to various countries, using bespoke backdoors like Whisper (aka Veaty), Spearal, and Optimizer.
“BladedFeline has invested heavily in gathering diplomatic and financial information from Iraqi organizations, indicating that Iraq plays a large part in the strategic objectives of the Iranian government,” ESET noted in November 2024. “Additionally, governmental organizations in Azerbaijan have been another focus of BladedFeline.”
While the exact initial access vector used to get into KRG victims is unclear, it’s suspected that the threat actors likely leveraged a vulnerability in an internet-facing application to break into Iraqi government networks and deploy the Flog web shell to maintain persistent remote access.
 |
| The inner workings of the Whisper backdoor |
The wide range of backdoors highlights BladedFeline’s commitment to refining its malware arsenal. Whisper is a C#/.NET backdoor that logs into a compromised webmail account on a Microsoft Exchange server and uses it to communicate with the attackers via email attachments. Spearal is a .NET backdoor that utilizes DNS tunneling for command-and-control communication.
“Optimizer is an iterative update on the Spearal backdoor. It uses the same workflow and offers the same features. The main differences between Spearal and Optimizer are largely cosmetic,” the ESET research team told The Hacker News.
Select attacks observed in December 2023 have also involved the deployment of a Python implant referred to as Slippery Snakelet that comes with limited capabilities to execute commands via “cmd.exe,” download files from an external URL, and upload files.
The backdoors notwithstanding, BladedFeline is notable for the use of various tunneling tools Laret and Pinar to maintain access to target networks. Also put to use is a malicious IIS module dubbed PrimeCache, which ESET said bears similarities to the RDAT backdoor used by OilRig APT.
A passive backdoor, PrimeCache works by keeping an eye out for incoming HTTP requests matching a predefined cookie header structure in order to process commands issued by the attacker and exfiltrate files.
It’s this aspect, coupled with the fact that two of OilRig’s tools – RDAT and a reverse shell codenamed VideoSRV – were discovered on a compromised KRG system in September 2017 and January 2018, respectively, has led to the possibility that BladedFeline may be a subgroup within OilRig, but also different from Lyceum – a moniker assigned to a different sub-cluster.
The OilRig connection is also reinforced by a September 2024 report from Check Point, which pointed fingers at the Iranian hacking group for infiltrating the networks of Iraqi government networks and infecting them with Whisper and Spearal using likely social engineering efforts.
ESET said it identified a malicious artifact named Hawking Listener that was uploaded to the VirusTotal platform in March 2024 by the same party that uploaded Flog. Hawking Listener is an early-stage implant that listens on a specified port to run commands through “cmd.exe.”
“BladedFeline is targeting the KRG and the GOI for cyber espionage purposes, with an eye toward maintaining strategic access to high-ranking officials in both governmental entities,” the company concluded.
“The KRG’s diplomatic relationship with Western nations, coupled with the oil reserves in the Kurdistan region, makes it an enticing target for Iran-aligned threat actors to spy on and potentially manipulate. In Iraq, these threat actors are most probably trying to counter the influence of Western governments following the U.S. invasion and occupation of the country.”
