An Iranian-linked cyber-espionage group named BladedFeline has been secretly accessing and spying on Kurdish and Iraqi government networks, using a variety of custom malware tools.

Who was behind the attack?

The group is believed to be a subgroup of OilRig, a well-known cyber-espionage team aligned with Iran’s interests, active since at least 2014.

What was the goal of the attack?

The attackers aimed to gather intelligence from high-ranking officials in Iraq and the Kurdistan Region, likely to support Iranian strategic and geopolitical interests.

How broad was the attack?

BladedFeline has been active since at least 2017, compromising multiple Kurdish government systems, officials in the central Iraqi government, and even a telecom provider in Uzbekistan.

Who was targeted specifically?

The campaign targeted Kurdish diplomatic officials, Iraqi government personnel, and a regional telecom company, focusing on gaining and maintaining long-term access to sensitive systems.

How did the attackers break in?

While the exact methods remain unclear, it’s suspected they exploited unpatched web applications to plant webshells and deployed stealthy backdoors to maintain access.

Why are these governments being targeted?

The Kurdish region’s oil resources and diplomatic ties, as well as Iraq’s broader political influence, make them valuable targets for espionage by Iranian-aligned actors.

What should organizations do to protect themselves?

Organizations should secure email and web servers, monitor for unusual login or inbox rule behavior, use endpoint detection tools, and conduct regular threat hunts for suspicious activity.

Is this part of a larger problem?

Yes, this is part of an ongoing trend where Iranian-backed groups conduct cyber-espionage operations across the Middle East, aiming to gather intelligence and influence regional affairs.

Threats Feed|BladedFeline|Last Updated 07/06/2025|AuthorCertfa Radar|Publish Date05/06/2025

BladedFeline Targets Iraq and Kurdistan Governments with Custom Malware Arsenal

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Vulnerability Exploitation,Backdoor,Downloader,Malware
Attack Complexity: High
Threat Risk: High Impact/High Probability

Threat Overview

BladedFeline, an Iran-aligned APT group likely linked to OilRig (APT34), has conducted a multi-year cyberespionage campaign targeting Kurdish and Iraqi government officials as well as a telecommunications provider in Uzbekistan. Active since at least 2017, the group deployed various custom tools—including the Shahmaran and Whisper backdoors, the PrimeCache IIS module, reverse tunnels (Laret and Pinar), and several post-compromise implants—to maintain long-term access. Whisper abuses Microsoft Exchange email infrastructure for covert C2, while PrimeCache leverages malicious IIS components. This activity highlights Iran’s strategic interest in regional political and telecommunications sectors.

Reference and Credit: Eset - June 2025

BladedFeline: Whispering in the dark

Detected Targets

Type	Description	Confidence
Sector	Government Agencies and Services	Verified
Sector	Telecommunication	Verified
Region	Iraq	Verified
Region	Uzbekistan	Verified

Extracted IOCs

01b99ff47ec6394753f9ccdd2d43b3e804f9ee36
1c757accbc2755e83e530dda11b3f81007325e67
272cf34e8db2078a3170cf0e54255d89785e3c50
37859e94086ec47b3665328e9c9baf665cb869f6
3d21e1c9dfba38ec6997ae6e426df9291f89762a
4954e8ace23b48ec55f1ff3a47033351e9fa2d6c
562e1678ec8fdc1d83a3f73eb511a6dda08f3b3d
66bd8db40f4169c7f0fca3d5d15c978efe143cf8
6973d3ff8852a3292380b07858d43d0b80c0616e
73d0faa475c6e489b2c5c95bb51dede4719d199e
b8afc21ef2aa854896b97f1c81b376dcdde2466d
bb4ffcdbfad40125080c13fa4917a1e836a8d101
be0ad25b7b48347984908175404996531cfd74b7
e8e6e6afef3f574c1f5228bdb28abb34f8a0d09a
f28d8c5c2283019e6ed788d20240abc8554cadb5
178[.]209.51.61
185[.]76.78.177

download

Tip: 17 related IOCs (2 IP, 0 domain, 0 URL, 0 email, 15 file hash) to this threat have been found.

FAQs

Understanding the BladedFeline Espionage Campaign

: An Iranian-linked cyber-espionage group named BladedFeline has been secretly accessing and spying on Kurdish and Iraqi government networks, using a variety of custom malware tools.
: The group is believed to be a subgroup of OilRig, a well-known cyber-espionage team aligned with Iran’s interests, active since at least 2014.
: The attackers aimed to gather intelligence from high-ranking officials in Iraq and the Kurdistan Region, likely to support Iranian strategic and geopolitical interests.
: BladedFeline has been active since at least 2017, compromising multiple Kurdish government systems, officials in the central Iraqi government, and even a telecom provider in Uzbekistan.
: The campaign targeted Kurdish diplomatic officials, Iraqi government personnel, and a regional telecom company, focusing on gaining and maintaining long-term access to sensitive systems.
: While the exact methods remain unclear, it’s suspected they exploited unpatched web applications to plant webshells and deployed stealthy backdoors to maintain access.
: The Kurdish region’s oil resources and diplomatic ties, as well as Iraq’s broader political influence, make them valuable targets for espionage by Iranian-aligned actors.
: Organizations should secure email and web servers, monitor for unusual login or inbox rule behavior, use endpoint detection tools, and conduct regular threat hunts for suspicious activity.
: Yes, this is part of an ongoing trend where Iranian-backed groups conduct cyber-espionage operations across the Middle East, aiming to gather intelligence and influence regional affairs.

About Affiliation

BladedFeline