Iran-Aligned Hacking Group Targets Middle Eastern Governments

A long-running cyber-espionage campaign linked to an Iran-aligned threat group has been observed targeting government entities in Iraq and the Kurdistan Regional Government (KRG), according to new research by ESET.

The group, dubbed "BladedFeline," has significantly evolved its toolset since its initial activities began in 2017. What's new is the use of a sophisticated set of malware tools designed for stealth and persistence. Among them is a newly discovered backdoor called Whisper, which leverages Microsoft Exchange webmail accounts to receive commands and exfiltrate data via email attachments.

This covert approach allows attackers to maintain access while avoiding traditional detection methods. In addition to Whisper, researchers uncovered a malicious internet information services (IIS) module known as PrimeCache. This server-based backdoor operates in a stealthy manner, remaining hidden within legitimate web server processes.

Alongside these, two reverse tunnel tools, Laret and Pinar, and multiple post-compromise utilities were also deployed. The tools enable the group to maintain long-term access to high-value targets, evade detection using encrypted communication methods, execute commands remotely through legitimate webmail accounts, and conceal malicious activity within trusted server processes.

The reuse of code from known malware linked to the broader OilRig operation suggests that BladedFeline may operate as a subgroup within this larger framework. This assessment is supported by similarities in technical design and malware functionality.

ESET said that initial access within the KRG was traced back to at least 2017. More recently, the group has expanded its operations to include additional Iraqi government bodies and a telecommunications provider in Uzbekistan.

The shift from simple backdoors to modular, stealth-capable implants highlights the group’s intent to maintain deep access to politically sensitive environments.

What's at Stake?

"We expect to find that BladedFeline will persist with implant development in order to maintain and expand access within its compromised victim set, likely for cyber-espionage," ESET concluded.

The evolving tactics underscore a broader strategy by Iran-aligned actors to conduct intelligence gathering in the region without raising alarms. As the threat landscape continues to shift, it is essential for governments and organizations to remain vigilant and take proactive measures to protect themselves against these sophisticated attacks.

Conclusion

BladedFeline's sophisticated toolkit and stealthy approach highlight the evolving nature of cyber threats in the region. As Iran-aligned actors continue to refine their tactics, it is crucial for policymakers, security experts, and organizations to stay informed and adapt to these emerging threats.