BladedFeline: Whispering in the dark

June 8, 2025, 4:53 p.m.

Description

ESET researchers have uncovered a cyberespionage campaign conducted by BladedFeline, an Iran-aligned APT group likely tied to OilRig. The group has been targeting Kurdish and Iraqi government officials since at least 2017, using various malicious tools including reverse tunnels, backdoors, and a malicious IIS module. Key malware includes the Whisper backdoor, which communicates via compromised email accounts, and PrimeCache, a malicious IIS module with similarities to OilRig's RDAT backdoor. The campaign also targeted a telecommunications provider in Uzbekistan. BladedFeline's sophisticated tactics and tools indicate a focus on maintaining strategic access to high-ranking officials for espionage purposes.

External References

https://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/#iocs
https://otx.alienvault.com/pulse/6842cae058bebf5552345481
Tags
backdoor
apt
oilrig
iis malware
2025-06-06
whisper
shahmaran
slippery snakelet

Date

  • Created: June 6, 2025, 11:02 a.m.
  • Published: June 6, 2025, 11:02 a.m.
  • Modified: June 8, 2025, 4:53 p.m.

Indicators

  • dropper.agent.gi
  • zaincell.store
  • olinpa.com
Download all indicators here!

Attack Patterns

  • BladedFeline

Additional Informations

  • Telecommunications
  • Government
  • domain.computer