MalwareUsed by 2 actors

Optimizer

Optimizer is a bespoke backdoor associated with the Iran-aligned threat cluster BladedFeline, which ESET assesses with medium confidence to be a sub-cluster of OilRig, a group linked in the reporting to Iran’s Ministry of Intelligence and Security (MOIS). BladedFeline has been active since at least September 2017 and has used Optimizer alongside other custom malware including Shahmaran, Whisper (aka Veaty), and Spearal in cyber-espionage operations. Reported targeting includes Kurdish and Iraqi government officials, the Kurdistan Regional Government (KRG), other entities in Iraq, governmental organizations in Azerbaijan, and a regional telecommunications provider in Uzbekistan. The reporting states that BladedFeline’s malware toolkit, including Optimizer, provides remote code execution and data exfiltration capabilities. Optimizer is described only as one of the bespoke backdoors delivered in these intrusions; no further technical details, infection vector, or specific indicators of compromise for Optimizer are provided in the content. In the broader campaigns where it was used, researchers noted that initial access into some Iraqi and KRG environments was unclear, though exploitation of an internet-facing application was suspected in some cases, and the actor also used persistence and access-enablement tooling such as the Flog web shell, PrimeCache malicious IIS module, Slippery Snakelet implant, and Laret and Pinar tunneling tools.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

BladedFeline

BladedFeline is known to employ a diverse malware toolkit, including backdoors like Shahmaran, Whisper, Spearal, and Optimizer, each offering remote code execution (RCE) and data exfiltration capabilities.

via sentinelone blogsentinelone.com

OilRig

via sentinelone blogsentinelone.com

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

the hacker newsNews

Jun 9, 2025

⚡ Weekly Recap: Chrome 0-Day, Data Wipers, Misused Tools and Zero-Click iPhone Attacks

Backdoor used in targeted intrusions against Kurdish and Iraqi government officials.

sentinelone blogNews

Jun 6, 2025

The Good, the Bad and the Ugly in Cybersecurity – Week 23

Backdoor used by BladedFeline providing remote code execution and data exfiltration.

the hacker newsNews

Jun 5, 2025

Iran-Linked BladedFeline Hits Iraqi and Kurdish Targets with Whisper and Spearal Malware

Bespoke backdoor used in BladedFeline operations; specific functionality not described in the provided content.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.