BladedFeline

BladedFeline is an Iran-aligned cyberespionage threat actor active since at least September 2017. ESET assesses with medium confidence that it is a sub-cluster of OilRig, also tracked as APT34 and Hazel Sandstorm, and reporting in the provided content describes OilRig as affiliated with Iran and commonly believed to be based there. BladedFeline has focused on long-term access and espionage against Kurdish and Iraqi government officials, including the Kurdistan Regional Government (KRG), and has also targeted Iraqi diplomatic officials, governmental organizations in Azerbaijan, and a regional telecommunications provider in Uzbekistan. The group was discovered after attacks against Kurdish diplomatic officials and has maintained illicit access to KRG-related victims for years. Reported victimology includes KRG officials compromised as early as 2017, high-ranking officials within the government of Iraq, and a telecom provider in Uzbekistan that may have been compromised as early as 2022 and later revisited. ESET reported the actor invested heavily in gathering diplomatic and financial information from Iraqi organizations. BladedFeline’s tooling includes multiple bespoke backdoors and persistence mechanisms. Named malware and implants in the provided content include Shahmaran, Whisper (also referred to as Veaty), Spearal, Optimizer, PrimeCache, Slippery Snakelet, Hawking Listener, P.S. Olala, Flog, Sheep Tunneler, and the reverse tunnels Laret and Pinar. Whisper is described as a C#/.NET backdoor that logs into compromised Microsoft Exchange webmail accounts and communicates with operators through encrypted email attachments. PrimeCache is a malicious IIS module and passive backdoor that receives commands via specially crafted HTTP cookie headers and supports command execution and file exfiltration. Shahmaran is a simple backdoor used for command execution and file and directory operations. Spearal uses DNS tunneling for command-and-control. Slippery Snakelet is a Python backdoor capable of command execution and file transfer. Laret and Pinar provide SSH-based reverse tunneling, and Flog is an ASPX web shell used for persistence. The content states the initial access vector into KRG victims is unclear, though ESET suspected exploitation of an internet-facing application in Iraqi government intrusions. Attribution to OilRig is supported in the content by victimology, the discovery of OilRig tools RDAT and VideoSRV on compromised KRG systems, and code similarities between PrimeCache and OilRig’s RDAT backdoor. Overall, the reported activity is consistent with sustained strategic espionage focused on maintaining and expanding access in Iraqi and neighboring regional targets.