.webp?w=696&resize=696,0&ssl=1 "BladedFeline IIS Exploit")
In a significant discovery, security experts at ESET have unveiled the activities of BladedFeline, an advanced persistent threat (APT) group with ties to Iran.
Since at least 2017, BladedFeline has systematically targeted Kurdish and Iraqi government officials, deploying an evolving arsenal of malware aimed at maintaining illicit access and conducting cyber espionage.
Recent attacks have revealed two standout malicious tools: the Whisper backdoor and the PrimeCache IIS module, which harness innovative methods to infiltrate Microsoft Exchange and IIS web servers.
Whisper – Stealth Intrusion via Microsoft Exchange
The Whisper backdoor is a 32-bit Windows binary, written in C#/.NET, designed to exploit compromised webmail accounts on Microsoft Exchange servers.
Once inside, the malware communicates discreetly with attackers by sending and receiving email attachments, bypassing standard security monitoring. It uses configuration files containing base64-encoded credentials to log in and establish a persistent presence.
Whisper automates the manipulation of inbox rules, ensuring that attacker-issued commands, sent as encrypted email attachments, are properly routed and processed.
The malware can write and exfiltrate files, execute PowerShell commands, and quietly relay the results back to the attackers via encrypted attachments. This approach allows BladedFeline to operate under the radar, using legitimate services to orchestrate its attacks.
PrimeCache – Advanced Malicious IIS Module
PrimeCache, another tool attributed to BladedFeline, is a sophisticated native module for Microsoft IIS web servers. This 64-bit C++ DLL passively monitors incoming HTTP requests, activating only when it detects attacker-specified cookies.
It splits command operations across multiple requests, using AES-CBC and RSA encryption to protect communications.
The module supports a core set of actions, such as remote command execution, file creation, and data exfiltration. Notably, PrimeCache shares several code similarities with the RDAT backdoor previously used by OilRig, another Iran-aligned APT group.
Both use the Crypto++ encryption library and a unique shell execution function, strengthening the assessment that BladedFeline operates as a subgroup within OilRig’s cyberespionage apparatus.
Continuous Evolution and Regional Targeting
BladedFeline’s toolset has continued to diversify, including reverse tunnels like Laret and Pinar, webshells (Flog), PowerShell executors (P.S. Olala), and lightweight Python backdoors (Slippery Snakelet).
Their operations, while primarily focused on high-ranking officials in Iraq and the Kurdish region, have also extended to critical infrastructure in Uzbekistan.
The sophistication and persistence of BladedFeline underscore an ongoing threat to Middle Eastern governmental and diplomatic entities.
With their expanding malware suite and innovative use of legitimate services for command-and-control (C&C) communication, security experts warn that Iranian-aligned groups, such as BladedFeline, will remain a formidable force in regional cyber espionage.
For organizations in the region, a heightened focus on email and web server security is paramount to defending against these evolving threats.
.webp?resize=1600,900&ssl=1&description=BladedFeline IIS Exploit - Security experts at ESET have unveiled the activities of BladedFeline, an APT group with ties to Iran.){kind=link}