In early 2024, a cyber espionage campaign attributed to the Iran-affiliated hacking group BladedFeline targeted Kurdish and Iraqi government officials. This group, believed to be a sub-cluster within the known Iranian nation-state actor OilRig, has been active since at least September 2017, focusing on infiltrating organizations in Iraq and the Kurdistan Regional Government (KRG).
BladedFeline’s operations have consistently aimed to maintain unauthorized access to Kurdish diplomatic officials, exploit regional telecommunications providers, and infiltrate Iraqi government networks. Their activities were first documented in May 2024, revealing attacks on a governmental organization in the Kurdistan region and a telecommunications provider in Uzbekistan, potentially compromised as early as May 2022.
The group’s malware arsenal includes several bespoke backdoors:
– Shahmaran: A simple backdoor that connects to a remote server, executing commands to upload or download files and manipulate directories.
– Whisper (aka Veaty): A C#/.NET backdoor that communicates with attackers via email attachments through compromised Microsoft Exchange webmail accounts.
– Spearal: A .NET backdoor utilizing DNS tunneling for command-and-control communication.
– Optimizer: Another custom backdoor employed in their campaigns.
In December 2023, BladedFeline deployed a Python-based implant named Slippery Snakelet, capable of executing commands via cmd.exe, and facilitating file downloads and uploads. To maintain persistent access, the group utilized tunneling tools like Laret and Pinar, and a malicious IIS module dubbed PrimeCache, which shares similarities with the RDAT backdoor used by OilRig APT.
The initial access methods employed by BladedFeline remain unclear. However, it’s suspected that they exploited vulnerabilities in internet-facing applications to breach Iraqi government networks, subsequently deploying the Flog web shell for sustained remote access.
BladedFeline’s activities underscore Iran’s strategic interest in gathering diplomatic and financial intelligence from Iraqi organizations, reflecting the broader objectives of the Iranian government in the region.
