Listen to this Post
A Stealth Operation Uncovered
ESET researchers have uncovered a covert cyberespionage campaign conducted by an Iranian-linked Advanced Persistent Threat (APT) group dubbed BladedFeline. Operating undetected since at least 2017, this group has spent years burrowed deep inside critical government systems in the Kurdistan Region of Iraq, as well as extending its surveillance operations into Uzbekistan. BladedFeline’s tactics, stealth, and longevity position it among the most advanced cyber actors operating out of Iran. Through the deployment of its stealthy backdoor “Shahmaran,” first spotted targeting Kurdish diplomats in early 2023, investigators traced a sophisticated suite of tools, including “Whisper” and “PrimeCache,” revealing a modular and evolving malware framework tied to Iran’s broader intelligence operations. The group is believed to be a specialized unit under the larger Iranian APT34 umbrella, also known as OilRig.
BladedFeline’s Extended Digital Campaign
BladedFeline’s operations span nearly eight years, showing a level of operational discipline and strategic focus that suggests state backing. Their attack lifecycle begins with highly specialized implants, proceeds through lateral network movement, and culminates in encrypted data exfiltration through multi-layered backdoors. ESET analysts connected the “PrimeCache” backdoor to advanced command-and-control tactics using RSA/AES-CBC encryption and HTTP cookie-based signals, hallmarks of OilRig’s technical style. Meanwhile, “Whisper” capitalizes on compromised Microsoft Exchange accounts, hiding its command flow in email attachments, mimicking cloud-based operations seen in related threat groups.
The group’s supporting tools include Python and PowerShell droppers, along with custom webshells and tunneling tools like “Laret” and “Pinar,” all built for evasion and resilience. BladedFeline has specifically focused on gaining persistent access to government networks and telecom infrastructure in regions where Iran seeks strategic leverage, particularly those aligned with Western interests or rich in natural resources. This points to geopolitical motivations guiding their digital campaigns.
The forensic signatures connecting BladedFeline to OilRig include identical code structures, overlapping toolsets like RDAT and VideoSRV, and a shared emphasis on custom Internet Information Services (IIS) modules. Though ESET rates the attribution confidence as medium, the consistency in tactics and targeting is too aligned to ignore. BladedFeline reflects the broader transformation of Iranian APTs into more methodical, stealth-oriented threat actors capable of sustaining espionage efforts for years without exposure.
As ESET warns, organizations across the Middle East, especially those in high-risk sectors like government and telecom, must ramp up their security postures. Defensive measures should include tighter monitoring of Exchange accounts, stronger perimeter controls, regular auditing for IoCs, and encryption-aware defense systems. This discovery isn’t just about one group—it’s a snapshot of how advanced and quiet Iranian cyber operations have become.
What Undercode Say:
BladedFeline marks a significant escalation in the capabilities of Iranian-aligned APTs, both in terms of stealth and sophistication. This group’s multi-year persistence across several high-value networks underlines one critical reality in today’s cybersecurity landscape: it’s not just about the tools used, but the patience and planning behind them.
Their ability to remain undetected for nearly eight years shows more than just technical expertise. It highlights operational maturity—an ability to adapt, embed, and retool without drawing attention. This mirrors the tradecraft seen in top-tier espionage groups, not opportunistic cybercriminals.
PrimeCache’s usage of encrypted HTTP cookies and a dual-stage command framework isn’t revolutionary, but its execution within a layered ecosystem of reverse tunnels, time-stamped binaries, and modular payloads makes detection extremely challenging. The consistent application of hybrid encryption algorithms and custom tunneling tools allows BladedFeline to communicate in ways that look almost like regular traffic—blending into the noise of modern enterprise networks.
By hijacking Microsoft Exchange servers for C2 channels, “Whisper” not only mimics legitimate communications but also opens a quiet line of command that bypasses many intrusion detection systems. This choice reflects a growing trend among state-backed APTs: to exploit infrastructure already trusted by victims, weaponizing convenience itself.
BladedFeline’s focus on Kurdistan and Central Asia signals Tehran’s deeper geopolitical interests, especially in oil-rich or politically sensitive areas. This isn’t just espionage for intelligence’s sake—it’s part of a broader game of regional dominance. The meticulous choice of targets, including telecom and government entities, shows that this operation is about long-term influence and surveillance.
What’s alarming is the overlap between BladedFeline and OilRig, not just in codebase or techniques, but in strategic mindset. We see a pattern: a central architecture for offensive cyber operations being shared, modified, and redeployed through different operational arms. This form of modular, scalable cyberwarfare aligns closely with Iran’s documented strategy of distributed asymmetric conflict.
Security teams should take BladedFeline as a case study in quiet persistence. It’s not enough to rely on traditional detection anymore. Organizations need anomaly detection based on behavioral patterns, stronger segmentation, and more thorough logging of Exchange and IIS activity.
ESET’s role in unearthing this group gives defenders a chance to prepare. But it also underlines how many other similar operations may still be lurking—quietly observing, quietly stealing.
Fact Checker Results 🕵️♂️✅
Is BladedFeline linked to Iran’s APT34/OilRig? ✅ Yes
Was Shahmaran used in real diplomatic targeting? ✅ Yes
Did the attackers remain undetected for 8 years? ✅ Yes
Prediction 🔮
As
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.quora.com/topic/Technology
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
