Iranian APT ‘BladedFeline’ Remains Hidden in Networks for 8 Years

ESET researchers have uncovered the persistent activities of BladedFeline, an Iranian-aligned Advanced Persistent Threat (APT) group, which has maintained covert access to the networks of Kurdish and Iraqi government officials for nearly eight years.

First identified in 2017 through attacks on the Kurdistan Regional Government (KRG), BladedFeline has since evolved into a sophisticated cyberespionage entity, targeting high-ranking officials in Iraq and even a telecommunications provider in Uzbekistan.

Active since at least 2017, the group’s long-term infiltration highlights the challenges of detecting and mitigating state-sponsored threats in geopolitically sensitive regions.

Cyberespionage Targets Kurdish and Iraqi Officials

The discovery of BladedFeline came in 2023 when ESET detected the deployment of its signature Shahmaran backdoor against Kurdish diplomatic officials.

Shahmaran, a 64-bit portable executable found in the target’s Startup directory, lacks encryption or compression for network communications, yet effectively executes commands from its command-and-control (C&C) server, facilitating file manipulation and data exfiltration.

Since then, BladedFeline has expanded its arsenal with tools like the Whisper backdoor, which leverages compromised Microsoft Exchange webmail accounts to communicate via email attachments, and PrimeCache, a malicious Internet Information Services (IIS) module that functions as a passive backdoor.

PrimeCache, notably, shares code similarities with the RDAT backdoor used by the Iran-aligned OilRig APT group, leading ESET to assess with medium confidence that BladedFeline operates as a subgroup of OilRig, a well-known cyberespionage entity active since at least 2014 targeting Middle Eastern governments and industries.

Advanced Toolset Reveals Ties to OilRig Group

BladedFeline’s campaign demonstrates a calculated approach to maintaining persistent access.

Their timeline of attacks, spanning from 2017 to 2024, includes the use of reverse shells like VideoSRV, custom tunneling tools such as Sheep Tunneler, and reverse tunnels named Laret and Pinar, often timestomped to obscure their origins.

The group’s targets KRG officials, Iraqi government entities, and regional telecom providers suggest a strategic focus on intelligence gathering, likely driven by Iran’s interest in countering Western influence in Iraq and exploiting the oil-rich Kurdistan region’s diplomatic ties.

Tools like Whisper and PrimeCache exhibit advanced techniques, such as RSA and AES-CBC encryption for C&C communications, and the use of legitimate email accounts to bypass traditional defenses, showcasing the group’s technical prowess and adaptability over nearly a decade of operations.

As BladedFeline continues to develop its malware to retain and expand access within compromised networks, the cybersecurity community faces an ongoing challenge in tracking and neutralizing such threats.

According to the Report, ESET’s research underscores the importance of robust threat intelligence to detect long-term infiltrations by state-aligned actors like BladedFeline, whose ties to OilRig further complicate attribution and response efforts in the Middle Eastern cyber landscape.

Indicators of Compromise (IoCs)

To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here