ESET Exposes ‘BladedFeline’: Iran-Linked APT’s 8‑Year Covert Cyberespionage Campaign

A team of ESET cybersecurity researchers has unveiled the inner workings of “BladedFeline,” an advanced persistent threat (APT) group attributed to Iranian interests.

Active since at least 2017, BladedFeline has quietly infiltrated networks of the Kurdistan Regional Government (KRG), Iraq’s government, and even a regional telecommunications provider in Uzbekistan.

The technical sophistication and persistence of BladedFeline’s arsenal put this campaign among the most notable ongoing Iran-linked cyberespionage operations.

Stealth, Persistence, and Multi-Stage Malware

BladedFeline’s campaign is characterized by a layered toolset designed for persistent unauthorized access, command-and-control (C2), lateral movement, and data exfiltration. Their toolkit includes:

• Shahmaran Backdoor: A lightweight Windows executable used for initial access and simple command execution. Its communication with the C2 server is unencrypted, using HTTP and a hardcoded domain (olinpa[.]com).
• Whisper Backdoor: A rare backdoor leveraging compromised Microsoft Exchange webmail accounts for covert C2 via email attachments. Written in C#/.NET, communication and payloads are AES-encrypted and base64-encoded, providing resilience against network detection.
• PrimeCache IIS Module: A malicious native IIS module functioning as a passive backdoor. It processes special HTTP cookie headers to execute commands, exfiltrate data, or write files, with communications secured using AES-CBC and RSA.
• Reverse Tunnels (Laret and Pinar): Custom tools establishing SSH-based reverse tunnels for persistent command relay and data transfer, using the open-source Renci.SshNet library.
• Supplementary Implants: This includes webshells (Flog), Python-based backdoors (Slippery Snakelet), PowerShell executors (P.S. Olala), and custom tunneling utilities (Sheep Tunneler).

Attack Timeline Highlights (2017–2024):

• 2017: Initial compromise of KRG systems using OilRig’s RDAT and VideoSRV tools.
• 2023: Deployment of Shahmaran, followed by Whisper backdoor for high-level access persistence.
• 2024: Discovery of PrimeCache and reverse tunnels, revealing ongoing efforts to expand and maintain access across targets.

Code Snippet: PrimeCache Cookie Parsing Logic (Simplified, C++)

cpp// Checks for operator's cookie in incoming HTTP requests
if (cookie_header.find("F=") != std::string::npos) {
    std::string command_id = extract_command_id(cookie_header);
    if (command_id == "0") {
        execute_cached_command();
    } else {
        cache_parameter(command_id, parameter_value);
    }
}

Command & Control and Encryption

BladedFeline employs innovative and layered C2 mechanisms:

• Whisper Backdoor: Interacts with attackers using email attachments on Exchange servers. Operator commands are sent as encrypted attachments; responses (command output or exfiltrated data) are similarly encrypted and returned as attachments.
• PrimeCache: Issues commands through custom-formatted cookies, with data transmission encrypted using an embedded Crypto++ library (AES for payloads, RSA for the session key). This approach evades traditional IDS/IPS monitoring that focuses on URLs or request bodies.

Table: PrimeCache Operator Commands

Command	Description
r	Run a shell command and return output
u	Upload a file to the server
d	Download a file from the server

Tactics, Techniques, and Procedures (TTPs)

• Persistence: Through startup entries, service registration, and timestomping executable timestamps (a tactic to obfuscate forensic timelines).
• Lateral Movement: Use of custom SSH tunnels (Laret, Pinar) and “Sheep Tunneler” for covert internal traffic rerouting.
• Defense Evasion: Frequent use of base64 encoding, encrypted command channels, and multi-stage payload deployment to hinder detection and analysis.

Attribution, Evolution, and Regional Impact

Ties to OilRig and Iranian State Interests

ESET’s analysis links BladedFeline as a probable subgroup of the broader OilRig (APT34) cluster, notorious for targeting Middle Eastern governments and critical sectors.

Technical overlaps (Crypto++ use, command parsing routines, and IIS backdoor code similarities) with known OilRig tools solidify the connection.

• Shahmaran and RDAT: Early use of OilRig-developed implants.
• PrimeCache: Shares code, encryption style, and operational flow with OilRig’s RDAT, indicating shared development or tool reuse.

Target Profile and Geopolitical Motive

BladedFeline’s focus on Kurdish and Iraqi government networks—entities of geopolitical significance due to their ties to Western states and resource-rich regions—suggests intelligence gathering is the primary objective. The group’s additional forays into Uzbekistan’s telecom sector highlight a widening geographic and strategic footprint.

BladedFeline exemplifies the persistent, adaptive, and technically advanced tactics now prevalent among Iran-aligned cyberespionage groups.

Through ongoing tool development, stealthy communication protocols, and meticulous targeting, the group has sustained covert access in some of the Middle East’s most sensitive networks for nearly a decade.

Organizations in the region, and defenders globally, should pay close attention to the evolving TTPs of BladedFeline and its parent cluster, OilRig.

Indicators of compromise

SHA-1	Filename	Detection	Description
01B99FF47EC6394753F9CCDD2D43B3E804F9EE36	Avamer.pdf.exe	Python/TrojanDropper.Agent.GI	Python-compiled dropper for Spearal
1C757ACCBC2755E83E530DDA11B3F81007325E67	Win_Updates.exe	MSIL/Agent.EUM	Spearal, a BladedFeline backdoor.
272CF34E8DB2078A3170CF0E54255D89785E3C50	scr8B45.ps1	PowerShell/TrojanDropper.Agent.AJU	PowerShell script to install Spearal.
37859E94086EC47B3665328E9C9BAF665CB869F6	ncms_demo.msi	MSIL/Agent.EUM	MSI inside the zip archive that drops and executes a PowerShell script that in turn drops and executes Spearal.
3D21E1C9DFBA38EC6997AE6E426DF9291F89762A	flogon.aspx	ASP/Agent.BI	Flog webshell.
4954E8ACE23B48EC55F1FF3A47033351E9FA2D6C	winsmsrv.exe	MSIL/HackTool.Agent.YN	Pinar, a reverse tunnel.
562E1678EC8FDC1D83A3F73EB511A6DDA08F3B3D	LogonUl.exe	Win64/OilRig_AGen.A	RDAT backdoor.
66BD8DB40F4169C7F0FCA3D5D15C978EFE143CF8	Protocol.pdf.exe	Python/TrojanDropper.Agent.FT	Whisper Protocol, the dropper that writes and executes the Whisper backdoor.
6973D3FF8852A3292380B07858D43D0B80C0616E	VeeamUpdate.exe	MSIL/Agent.ERR	Whisper backdoor.