ESET Exposes ‘BladedFeline’: Iran-Linked APT’s 8‑Year Covert Cyberespionage Campaign

A team of ESET cybersecurity researchers has unveiled the inner workings of “BladedFeline,” an advanced persistent threat (APT) group attributed to Iranian interests.

Active since at least 2017, BladedFeline has quietly infiltrated networks of the Kurdistan Regional Government (KRG), Iraq’s government, and even a regional telecommunications provider in Uzbekistan.

The technical sophistication and persistence of BladedFeline’s arsenal put this campaign among the most notable ongoing Iran-linked cyberespionage operations.

Stealth, Persistence, and Multi-Stage Malware

BladedFeline’s campaign is characterized by a layered toolset designed for persistent unauthorized access, command-and-control (C2), lateral movement, and data exfiltration. Their toolkit includes:

• Shahmaran Backdoor: A lightweight Windows executable used for initial access and simple command execution. Its communication with the C2 server is unencrypted, using HTTP and a hardcoded domain (olinpa[.]com).
• Whisper Backdoor: A rare backdoor leveraging compromised Microsoft Exchange webmail accounts for covert C2 via email attachments. Written in C#/.NET, communication and payloads are AES-encrypted and base64-encoded, providing resilience against network detection.
• PrimeCache IIS Module: A malicious native IIS module functioning as a passive backdoor. It processes special HTTP cookie headers to execute commands, exfiltrate data, or write files, with communications secured using AES-CBC and RSA.
• Reverse Tunnels (Laret and Pinar): Custom tools establishing SSH-based reverse tunnels for persistent command relay and data transfer, using the open-source Renci.SshNet library.
• Supplementary Implants: This includes webshells (Flog), Python-based backdoors (Slippery Snakelet), PowerShell executors (P.S. Olala), and custom tunneling utilities (Sheep Tunneler).

Attack Timeline Highlights (2017–2024):

• 2017: Initial compromise of KRG systems using OilRig’s RDAT and VideoSRV tools.
• 2023: Deployment of Shahmaran, followed by Whisper backdoor for high-level access persistence.
• 2024: Discovery of PrimeCache and reverse tunnels, revealing ongoing efforts to expand and maintain access across targets.

Code Snippet: PrimeCache Cookie Parsing Logic (Simplified, C++)

cpp// Checks for operator's cookie in incoming HTTP requests
if (cookie_header.find("F=") != std::string::npos) {
    std::string command_id = extract_command_id(cookie_header);
    if (command_id == "0") {
        execute_cached_command();
    } else {
        cache_parameter(command_id, parameter_value);
    }
}

Command & Control and Encryption

BladedFeline employs innovative and layered C2 mechanisms:

• Whisper Backdoor: Interacts with attackers using email attachments on Exchange servers. Operator commands are sent as encrypted attachments; responses (command output or exfiltrated data) are similarly encrypted and returned as attachments.
• PrimeCache: Issues commands through custom-formatted cookies, with data transmission encrypted using an embedded Crypto++ library (AES for payloads, RSA for the session key). This approach evades traditional IDS/IPS monitoring that focuses on URLs or request bodies.

Table: PrimeCache Operator Commands

Tactics, Techniques, and Procedures (TTPs)

• Persistence: Through startup entries, service registration, and timestomping executable timestamps (a tactic to obfuscate forensic timelines).
• Lateral Movement: Use of custom SSH tunnels (Laret, Pinar) and “Sheep Tunneler” for covert internal traffic rerouting.
• Defense Evasion: Frequent use of base64 encoding, encrypted command channels, and multi-stage payload deployment to hinder detection and analysis.

Attribution, Evolution, and Regional Impact

Ties to OilRig and Iranian State Interests

ESET’s analysis links BladedFeline as a probable subgroup of the broader OilRig (APT34) cluster, notorious for targeting Middle Eastern governments and critical sectors.

Technical overlaps (Crypto++ use, command parsing routines, and IIS backdoor code similarities) with known OilRig tools solidify the connection.

• Shahmaran and RDAT: Early use of OilRig-developed implants.
• PrimeCache: Shares code, encryption style, and operational flow with OilRig’s RDAT, indicating shared development or tool reuse.

Target Profile and Geopolitical Motive

BladedFeline’s focus on Kurdish and Iraqi government networks—entities of geopolitical significance due to their ties to Western states and resource-rich regions—suggests intelligence gathering is the primary objective. The group’s additional forays into Uzbekistan’s telecom sector highlight a widening geographic and strategic footprint.

BladedFeline exemplifies the persistent, adaptive, and technically advanced tactics now prevalent among Iran-aligned cyberespionage groups.

Through ongoing tool development, stealthy communication protocols, and meticulous targeting, the group has sustained covert access in some of the Middle East’s most sensitive networks for nearly a decade.

Organizations in the region, and defenders globally, should pay close attention to the evolving TTPs of BladedFeline and its parent cluster, OilRig.

Indicators of compromise