A long-running cyber-espionage campaign linked to an Iran-aligned threat group has been observed targeting government entities in Iraq and the Kurdistan Regional Government (KRG).
According to new research by ESET, the group, dubbed “BladedFeline,” has significantly evolved its toolset since its initial activities began in 2017.
What’s new is the use of a sophisticated set of malware tools designed for stealth and persistence.
Among them is a newly discovered backdoor called Whisper, which leverages Microsoft Exchange webmail accounts to receive commands and exfiltrate data via email attachments. This covert approach allows attackers to maintain access while avoiding traditional detection methods.
New Malware Capabilities Uncovered
In addition to Whisper, researchers uncovered a malicious internet information services (IIS) module known as PrimeCache. This server-based backdoor operates in a stealthy manner, remaining hidden within legitimate web server processes.
Alongside these, two reverse tunnel tools, Laret and Pinar, and multiple post-compromise utilities were also deployed.
The tools enable the group to:
-
Maintain long-term access to high-value targets
-
Evade detection using encrypted communication methods
-
Execute commands remotely through legitimate webmail accounts
-
Conceal malicious activity within trusted server processes
The reuse of code from known malware linked to the broader OilRig operation suggests that BladedFeline may operate as a subgroup within this larger framework. This assessment is supported by similarities in technical design and malware functionality.
Read more on OilRig’s background and tactics: OilRig APT Significantly Evolves in Latest Critical Infrastructure Attacks
Growing Sophistication Reflects Strategic Intent
ESET said that initial access within the KRG was traced back to at least 2017.
More recently, the group has expanded its operations to include additional Iraqi government bodies and a telecommunications provider in Uzbekistan. These activities demonstrate a clear pattern of targeting institutions involved in governance and communications infrastructure.
The researchers found the updated malware tools active in these environments as recently as early 2024, confirming that BladedFeline continues to refine its techniques and broaden its operational scope.
The shift from simple backdoors to modular, stealth-capable implants highlights the group’s intent to maintain deep access to politically sensitive environments.
ESET warned the evolving tactics underscore a broader strategy by Iran-aligned actors to conduct intelligence gathering in the region without raising alarms.
“We expect to find that BladedFeline will persist with implant development in order to maintain and expand access within its compromised victim set, likely for cyber-espionage,” the company concluded.
