Iranian APT ‘BladedFeline’ Stays Undetected in Networks for 8 Years

Researchers at ESET have exposed the sophisticated operations of the Iranian-aligned advanced persistent threat (APT) group known as “BladedFeline.”

Active since at least 2017, BladedFeline has managed to remain clandestine within critical government and telecom networks in Kurdistan, Iraq, and Uzbekistan for nearly eight years while continuously expanding its cyberespionage capabilities.

The group’s persistence was unmasked after the deployment of its signature backdoor, “Shahmaran,” against Kurdish diplomatic officials in early 2023.

Subsequent analysis connected a series of highly developed malicious tools and implants most notably the “Whisper” backdoor and “PrimeCache,” a custom malicious IIS module indicating a mature, evolving toolkit paralleled only by other prominent Iranian APTs.

Technical forensics further revealed that BladedFeline likely operates as a subgroup of the well-documented Iran-aligned OilRig (APT34/Hazel Sandstorm), with overlapping code bases, tools, and tactical objectives.

Advanced Attack Lifecycle

ESET’s in-depth investigation catalogued a timeline stretching from a 2017 compromise of the Kurdistan Regional Government (KRG) to recent 2024 intrusions.

BladedFeline’s arsenal combines initial implants, reverse tunnels, and multiple persistent backdoors tailored for stealth, lateral movement, and robust command-and-control (C2) operations.

The PrimeCache backdoor, for example, leverages advanced HTTP cookie-based C2, multi-stage command parsing, and hybrid RSA/AES-CBC encryption schemes via the statically linked Crypto++ library closely mirroring OilRig’s RDAT toolset.

Meanwhile, the Whisper implant exploits compromised Microsoft Exchange accounts for C2, using encrypted email attachments to receive commands and exfiltrate data, a tactic reminiscent of cloud-based C2 traffic employed by other OilRig subgroups like Lyceum.

Supplementary utilities include Python and PowerShell droppers, webshells, and custom tunneling (Laret and Pinar), all with persistent, encrypted communications and time-stomped binaries designed to evade detection and forensic analysis.

Regional Espionage Focus

BladedFeline’s targeting reflects Iran’s broader strategic intent in the Middle East. The group has maintained illicit access within both the Kurdistan Regional Government and high-ranking Iraqi governmental circles, extending its reach to regional telecommunications infrastructure.

By exploiting vulnerabilities in internet-facing applications and leveraging valid credentials, the APT has consistently focused on exfiltrating sensitive documents, monitoring official correspondence, and maintaining a persistent presence to further Iran’s geopolitical objectives chiefly surveillance of Western-aligned entities and oil-rich regions.

Attribution hinges on technical and operational overlaps: shared code and PDB strings with OilRig tools (notably RDAT and VideoSRV), deployment of custom IIS modules, and congruent targeting patterns.

According to the Report, ESET assesses with medium confidence that BladedFeline represents a discrete, OilRig-aligned subgroup, drawing from the same technical heritage but focusing on distinct North Iraqi and Central Asian vectors.

The protracted operational security achieved by BladedFeline underscores the escalating technical sophistication of Iranian APTs.

The group’s eight-year undetected presence, multi-layered backdoors, and regionally tailored exploits highlight a persistent threat to governmental and critical infrastructure targets in the Middle East and beyond.

As the attackers continue to enhance their toolset and adapt their attacks, organizations in high-risk sectors are urged to strengthen detection, harden internet-facing assets, and monitor for the detailed indicators of compromise (IoCs) uncovered by ESET.

Indicators of Compromise (IoC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Update