Iranian APT ‘BladedFeline’ Evades Detection for 8 Years Inside Targeted Networks

A previously little-known Iranian advanced persistent threat (APT) group dubbed “BladedFeline” has been quietly operating inside high-value Middle Eastern networks for at least eight years, leveraging a multi-tool arsenal to maintain persistent access and evade detection.

Uncovered by ESET researchers in 2024 after discovering its latest malware in government systems, BladedFeline is now attributed as a sophisticated subgroup within the notorious OilRig APT umbrella.

Technical Deep Dive: Arsenal and Operations

Stealthy Multi-Stage Implants

BladedFeline’s campaigns leveraged a tailored toolset including:

• Shahmaran Backdoor: A 64-bit Windows executable planted in startup folders, lacking encryption or compression for C2 communications, responding to operator commands for file management, and directory manipulation.
• Whisper Backdoor: Developed in C#/.NET, Whisper uses compromised Microsoft Exchange accounts for C2, exchanging commands and exfiltrating data via encrypted email attachments. Its configuration is stored in a base64-encoded XML, decoded at runtime.

Sample: Whisper config parsing & login (C# snippet):

csharp// Decoding config
string base64Config = File.ReadAllText(ConfigPath);
string xmlDecoded = Encoding.UTF8.GetString(Convert.FromBase64String(base64Config));

// Parsing credentials & logging in
var creds = GetCredentialsFromConfig(xmlDecoded);
ExchangeService service = new ExchangeService(ExchangeVersion.Exchange2010_SP2);
service.Credentials = new WebCredentials(creds.Username, creds.Password);
service.Url = new Uri(creds.Endpoint);

• PrimeCache IIS Module: A passive, native IIS module acting as a backdoor, it inspects incoming HTTP requests for operator-issued commands embedded in cookies, assembling multi-part instructions before execution. Commands are AES-encrypted and the sessions are RSA-encrypted, using statically linked Crypto++ for cryptography.

PrimeCache recognizes commands via Cookie headers:

textCookie: F=<command_ID>,<param>;

Actions include remote command execution, file upload/download, and exfiltration via HTTP responses.

Reverse Tunnels and Auxiliary Tools

To maintain re-entry and C2 flexibility, BladedFeline also deployed:

• Laret and Pinar: C#-based reverse tunneling utilities persistently installed on compromised hosts, with connection and authentication configs stored obfuscated in local files. These use SSH (via Renci.SshNet) and plaintext local port listeners, blending in with enterprise traffic.
• Flog Webshell and Hawking Listener: ASP.NET and C#-based implant tools for web server persistence and command execution.
• Slippery Snakelet: A Python-based minimalist backdoor capable of running commands and uploading/downloading files, communicating with C2 over HTTPS.

Timeline of Compromise

• 2017: Initial access into Kurdistan Regional Government (KRG) systems with reverse shells and OilRig’s RDAT backdoor.
• 2018–2021: Custom tunneling and privilege escalation tools established entrenched access.
• 2023–2024: Major upgrades Whisper, PrimeCache, and new tunneling tools enabled expansion into Iraqi government and a regional Uzbek telecom provider.

Sophisticated Persistence and Evasion Tactics

Multi-Vector Persistence

BladedFeline implements multiple persistence layers: startup entries, scheduled tasks, Windows services, and web shell implants. Timestomping techniques are frequently observed, with file creation and compile times altered to predate detection solutions’ thresholds.

Advanced Encryption and C2 Obfuscation

Its backdoors employ asymmetric/symmetric hybrid cryptography:

• PrimeCache: Hardcoded RSA keys and AES-CBC for all C2 communication payloads, plus HTTP protocol masquerading.
• Whisper: Uses AES encryption for commands, base64 encoding for data-at-rest, and relies on legitimate Exchange infrastructure for blending in.

Encrypted, Modular Command Handling

Each major implant supports modular, operator-defined commands ranging from custom PowerShell execution (Whisper) to command-line and file operations (PrimeCache, Shahmaran).

By decoupling command processing (especially in PrimeCache, where commands arrive over multiple requests), detection by traditional pattern-matching security tools is severely hampered.

Attribution and Impact

ESET analysis reveals strong code and operational overlaps with OilRig (APT34), especially in cryptographic routines and backdoor deployment strategies.

BladedFeline appears to focus primarily on intelligence and long-term access against diplomatic, governmental, and telecom targets emphasizing espionage over disruption.

The group’s continued development and operational security suggest substantial resources and a deep understanding of both Windows enterprise environments and Middle Eastern geopolitics.

Implications & Defensive Considerations

• Network defenders must look for anomalous IIS modules, unexpected Exchange access patterns, and encrypted cookie based backdoor signals.
• Critical Recommendations: Harden public-facing applications, audit Exchange credentials/usage, and review for timestomped files or persistent C#/.NET binaries.

After nearly a decade undetected, BladedFeline’s activities underscore the evolving complexity of Iranian cyber operations—and the urgent need for deep-dive technical vigilance across all critical sectors.