The Middle East Health Journal
SEE OTHER BRANDS
The Middle East Health Journal

Catch up with healthcare and wellness news from the Middle East

Submit Press Release

Iran-aligned BladedFeline spies on Iraqi and Kurdish officials, ESET Research discovers

  • ESET researchers have revealed that Iran-aligned threat group BladedFeline targeted Kurdish and Iraqi government officials with array of malicious tools discovered within their systems.
  • ESET discovered and analyzed two reverse tunnels (Laret and Pinar), a backdoor (Whisper), a malicious IIS module (PrimeCache), and various supplementary tools.
  • With high-confidence ESET Researchers assess that BladedFeline is a subgroup within Iran-aligned OilRig, as the initial implants used there can be traced back to OilRig group.
  • BladedFeline already compromised Kurdish diplomatic officials with the group's Shahmaran signature backdoor in 2023.

MONTREAL and BRATISLAVA, Slovakia, June 05, 2025 (GLOBE NEWSWIRE) -- The Iran-aligned threat group BladedFeline has targeted Kurdish and Iraqi government officials in a recent cyber-espionage campaign, according to ESET researchers. The group deployed a range of malicious tools discovered within the compromised systems, indicating a continued effort to maintain and expand access to high-ranking officials and government organizations in Iraq and the Kurdish region. The latest campaign highlights BladedFeline’s evolving capabilities, featuring two tunneling tools (Laret and Pinar), various supplementary tools, and, most notably, a custom backdoor Whisper and a malicious Internet Information Services (IIS) module PrimeCache, both identified and named by ESET.

Whisper logs into a compromised webmail account on a Microsoft Exchange server and uses it to communicate with the attackers via email attachments. PrimeCache also serves as a backdoor: it is a malicious IIS module. PrimeCache also bears similarities to the RDAT backdoor used by OilRig Advanced Persistent Threat (APT) group.

Based on these code similarities, as well as on further evidence presented in this blogpost, ESET assesses that BladedFeline is a very likely subgroup of OilRig, an Iran-aligned APT group going after governments and businesses in the Middle East. The initial implants in the latest campaign can be traced back to OilRig. These tools reflect the group’s strategic focus on persistence and stealth within targeted networks.

BladedFeline has worked consistently to maintain illicit access to Kurdish diplomatic officials, while simultaneously exploiting a regional telecommunications provider in Uzbekistan, and developing and maintaining access to officials in the government of Iraq.

ESET Research assesses that BladedFeline is targeting the Kurdish and Iraqi governments for cyberespionage purposes, with an eye toward maintaining strategic access to the computers of high-ranking officials in both governmental entities. The Kurdish diplomatic relationship with Western nations, coupled with the oil reserves in the Kurdistan region, makes it an enticing target for Iran-aligned threat actors to spy on and potentially manipulate. In Iraq, these threat actors are most probably trying to counter the influence of Western governments following the US invasion and occupation of the country.

In 2023, ESET Research discovered that BladedFeline targeted Kurdish diplomatic officials with the Shahmaran backdoor, and previously reported on its activities in ESET APT Activity reports. The group has been active since at least 2017, when it compromised officials within the Kurdistan Regional Government, but is not the only subgroup of OilRig that ESET Research is monitoring. ESET has been tracking Lyceum, also known as HEXANE or Storm-0133, as another OilRig subgroup. Lyceum focuses on targeting various Israeli organizations, including governmental and local governmental entities and organizations in healthcare.

ESET expects that BladedFeline will persist with implant development in order to maintain and expand access within its compromised victim set for cyberespionage.

For a more detailed analysis and technical breakdown of BladedFeline’s tools used in Operation RoundPress, check out the latest ESET Research blogpost “Whispering in the dark” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.

About ESET
ESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown— securing businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud, or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow our social media, podcasts and blogs.


Media contact:
Jessica Beffa
jessica.beffa@eset.com
720-413-4938

Primary Logo

Legal Disclaimer:

EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.

Share us

on your social networks:
Facebook Facebook LinkedIn LinkedIn
AGPs

Get the latest news on this topic.

SIGN UP FOR FREE TODAY

No Thanks

By signing to this email alert, you
agree to our Terms of Service