ESET Discovers Iran-Aligned BladedFeline Spies on Iraqi and Kurdish Officials

ESET researchers discovered that the Iran-aligned threat group BladedFeline has targeted Kurdish and Iraqi government officials in a recent cyber-espionage campaign. The group deployed a range of malicious tools discovered within the compromised systems, indicating a continued effort to maintain and expand access to high-ranking officials and government organizations in Iraq and the Kurdish region. The latest campaign highlights BladedFeline's evolving capabilities, featuring two tunneling tools (Laret and Pinar), various supplementary tools, and, most notably, a custom backdoor Whisper and a malicious Internet Information Services (IIS) module PrimeCache, both identified and named by ESET.
Whisper logs into a compromised webmail account on a Microsoft Exchange server and uses it to communicate with the attackers via email attachments. PrimeCache also serves as a backdoor: it is a malicious IIS module. PrimeCache also bears similarities to the RDAT backdoor used by OilRig Advanced Persistent Threat (APT) group.
Based on these code similarities, as well as on further evidence presented in this blogpost, ESET assesses that BladedFeline is a very likely subgroup of OilRig, an Iran-aligned APT group going after governments and businesses in the Middle East. The initial implants in the latest campaign can be traced back to OilRig. These tools reflect the group's strategic focus on persistence and stealth within targeted networks.
BladedFeline has worked consistently to maintain illicit access to Kurdish diplomatic officials, while simultaneously exploiting a regional telecommunications provider in Uzbekistan, and developing and maintaining access to officials in the government of Iraq.
ESET Research assesses that BladedFeline is targeting the Kurdish and Iraqi governments for cyberespionage purposes, with an eye toward maintaining strategic access to the computers of high-ranking officials in both governmental entities. The Kurdish diplomatic relationship with Western nations, coupled with the oil reserves in the Kurdistan region, makes it an enticing target for Iran-aligned threat actors to spy on and potentially manipulate. In Iraq, these threat actors are most probably trying to counter the influence of Western governments following the US invasion and occupation of the country.
In 2023, ESET Research discovered that BladedFeline targeted Kurdish diplomatic officials with the Shahmaran backdoor, and previously reported on its activities in ESET APT Activity reports. The group has been active since at least 2017, when it compromised officials within the Kurdistan Regional Government, but is not the only subgroup of OilRig that ESET Research is monitoring. ESET has been tracking Lyceum, also known as HEXANE or Storm-0133, as another OilRig subgroup. Lyceum focuses on targeting various Israeli organizations, including governmental and local governmental entities and organizations in healthcare.
ESET expects that BladedFeline will persist with implant development in order to maintain and expand access within its compromised victim set for cyberespionage.

Try Our AI Features

Explore what Daily8 AI can do for you:

Learn with AIFact CheckingText to SpeechAI Summary

Related Articles

The National

12 hours ago

• The National

Ballistic missiles 'keywords' at Paris Air Show as Israel-Iran conflict looms large

The Israel-Iran conflict loomed large over the Paris Air Show this week, accelerating talks on defence products and forcing airlines to suspend routes to the Middle East. The conflict brought a sense of urgency to the defence discussions at the event, which showcases the latest technology in defence and commercial aviation. 'Because of the geopolitical context and what is currently happening in the [Middle East] and a bit in Europe, a keyword here is ballistic and anti-ballistic [missiles],' Hervé Dammann, executive vice president of land and air systems at Thales, told The National on the sidelines of the show. 'How can we make sure our countries are protected well enough against ballistic and hypersonic threats – the two kinds of missiles that are currently believed to be in use in the Middle East? This is really the key topic of discussion: What do you need to detect, what do you need to intercept and which kind of system can be used. 'The mood here is the need to accelerate and implement those kind of capabilities. For the industry, it means that we need to be agile and ramp up production capacity. We need to find ways to accelerate putting solutions in the market, maybe in an incremental approach rather than waiting for having developed a full solution,' Mr Dammann said. In response to increasing customer demand, Thales has tripled the production of sensors in radars and quadrupled the production of effectors, he said. 'We are continuing to invest in support of the higher demand requests we have coming from many [ministries of defence], whether in the Middle East or in Europe or in Asia,' the Thales executive said. On the first day of the show, France's move to shut down the main Israeli company stands for refusing to remove attack weapons from display sparked a furious response from Israel. The show, which ends on Friday, displayed cutting-edge military technology and staged flight demonstrations that ripped through Le Bourget's blue skies. They were also a stark reminder of military capabilities used to deadly effect thousands of kilometres away in Tehran and Israel. 'We see it more as citizens at the moment: it is extremely worrying to see tensions and escalation in this region of the world,' Jean-Brice Dumont, head of air power at Airbus Defence and Space, said at a press briefing during the air show. 'For ethical reasons, I would say we refrain from making business interpretation out of it. Now, it is true that it is one more sign of an escalation somewhere in the world, which, overall, in military volumes, is leading the volumes up.' The European plane maker is pursuing potential new buyers, including the UAE and Saudi Arabia, for its A400M military transport aircraft. Mr Dumont said there are 'quite intense' discussions with the UAE's air force, Tawazun and defence entities in the government. 'The discussions are very, very constructive,' he said. 'Now, it's a competition. The one who's going to win will be the supplier of the mobility of the future for the UAE. We believe we have the right solution, having an aircraft that is the strategic and tactical one.' Flight disruptions In the skies beyond Le Bourget airport, some US airlines began suspending daily flights to Gulf countries amid the escalating conflict in the Middle East. American Airlines on Thursday suspended daily flights from Philadelphia to Doha until June 22. United Airlines temporarily halted services between its hub at Newark Liberty International Airport in New Jersey and Dubai and aims to resume 'when it's safe', according to its website. American Airlines' move comes after the US embassy in Qatar advised its personnel and US citizens in the country to 'keep a low profile' and 'stay alert' at locations publicly associated with the US. 'Out of an abundance of caution and in light of ongoing regional hostilities, the US Embassy has advised its personnel to exercise increased vigilance and has temporarily restricted access to Al Udeid Air Base. We recommend that US citizens in Qatar take similar precautions,' it said in a statement on its website. The US airlines' flight suspensions are the first disruptions on the doorstep of some of the region's busiest air hubs. Previous flight suspensions were limited to Israel, the countries surrounding it and the airspace above countries where Iranian missiles pass. Dubai and Doha are home to Emirates and Qatar Airways that use their strategic locations for long-haul travel, connecting passengers between the US, Europe and Asia. Emirates has suspended all flights to Amman and Beirut until June 22. Flight suspensions to Tehran, Baghdad and Basra will continue until June 30. Elsewhere, Saudi Arabian low-cost carrier flyadeal said it is experiencing only minimal disruptions. 'We've not had any significant impact as a result of airspace closure in parts of the region. While our flights to and from Amman have been cancelled until further notice, operationally, we're only experiencing minor disruptions with changes to flight routings on a few services to avoid the affected areas,' Steven Greenway, flyadeal's chief executive, told The National. 'With the upcoming peak summer season, we are preparing for a busy flying programme that will maximise our fleet utilisation.' The Israel-Iran attacks are the latest global conflict to ratchet up airlines' security concerns, while weighing on their operations and profitability. Airlines are grappling with airspace closures, threats from missiles, drones and GPS jamming. 'The big topics that we are facing is the global navigation satellite system (GNSS), so we see more and more … areas where the signal is not available or is spoofed,' Denis Bonnet, head of innovation research and technology at Thales, told reporters. 'We are working very hard with our [original equipment manufacturers] to make sure that we are more resilient to this … so it's becoming safer and safer.' The number of global positioning system (GPS) signal loss events increased by 220 per cent between 2021 and 2024, according to International Air Transport Association data. It is 'difficult to see this trend reversing in the near term', Iata said in a statement this week. Thales' flight management system, installed on more than 7,000 planes and cumulating more than 100 million flight hours, allows pilots to modify the flight trajectory quickly and simply, Mr Bonnet said. 'The capability we try to bring to airlines is to detect those threat areas and modify the trajectory … usually we prefer to do this before take-off,' he said. Another key topic is the use of satellite communications onboard aircraft, particularly in remote areas. 'When there is this huge tension between Israel and Iran, a lot of aircraft has to be re-routed and [satellite communications] have been absolutely vital to connect the crew in areas that are not really well covered by connectivity,' Mr Bonnet said. Airbus aircraft orders This Paris Air Show was unusually subdued following Air India's Boeing 787 crash, which created a sombre mood and kept Boeing's leadership away to focus on the accident investigation. Airbus secured firm orders for 142 aircraft. This does not include the six Airbus A350-900 announced by Egyptair at the show as this was a previously unidentified customer on Airbus' previous order reports. It also recorded 102 provisional orders that would increase its haul if airline customers choose to exercise those options. The firm orders are worth $14.2 billion including Egyptair's deal, plus 102 provisional orders worth $6.7 billion, Reuters reported, citing estimated delivery prices from UK-based Cirium Ascend. The air show is usually a hard-fought competition between the duopoly of plane makers. But Boeing had a quiet show as it chose to postpone any commercial announcements following the Air India crash just a few days before the expo. The 787 Dreamliner crashed in the Indian city of Ahmedabad shortly after take-off on June 12, killing all but one of the 242 people on board and at least 30 more people on the ground. Air India's Boeing plane was 'well-maintained' before it crashed a week ago, AFP reported, citing an airline statement on Thursday. Indian authorities have yet to reveal the cause of the crash as investigators work to retrieve data from the plane's black boxes – the cockpit voice recorder and the flight data recorder.

The National

a day ago

• The National

WhatsApp security questioned as Israel remains the only known actor to hack it

WhatsApp is facing renewed scrutiny after Iranian state media urged citizens to delete the app and alleged it was sending user data to Israel. The messaging platform, owned by US tech giant Meta, denied the claim and said it was 'concerned these false reports will be an excuse for our services to be blocked at a time when people need them the most'. 'We do not track your precise location, we don't keep logs of who everyone is messaging and we do not track the personal messages people are sending one another,' a statement said. 'We do not provide bulk information to any government.' The timing of the accusation has sparked fresh debate around WhatsApp's security, particularly given that Israel is the only country known to have successfully hacked the platform. Strong encryption? 'WhatsApp uses strong end-to-end encryption, which means only the sender and receiver can read the messages,' said Mohammad Ismail, vice president for EMEA at Cequence Security, a company that offers application programming interfaces security management. "Even WhatsApp itself can't see what's being shared." In practice, this kind of encryption is considered very secure and is trusted by security professionals around the world, he said. "However, the biggest risks usually does not come from the encryption, but from things like someone getting access to your phone or tricking you into revealing your login,' he told The National. Pegasus breach In 2019, the messaging platform filed a lawsuit against Israeli spyware company NSO Group, claiming the firm's Pegasus software had exploited a vulnerability in the app to target more than 1,400 users. Victims included journalists, human rights defenders and activists across several countries. The attack did not compromise WhatsApp's end-to-end encryption. Instead it utilised a 'zero-click' exploit, a method that enables spyware to be installed simply by sending a specially crafted message or call, which triggers the hack without the user needing to click or even see it. Once Pegasus is installed, it can bypass encryption entirely by accessing messages directly, recording calls and even activating the phone's camera and microphone without the user's knowledge, according to the Organised Crime and Corruption Reporting Project. The NSO Group says it licenses Pegasus exclusively to vetted government clients for use in counterterrorism and criminal investigations, and all foreign sales are subject to approval by the Israeli Defence Ministry. Encryption v device-level threats While WhatsApp's encryption remains intact in such cases, security experts warn encryption alone is not enough to protect against sophisticated surveillance tools. Experts say directly breaching WhatsApp encryption is extremely unlikely. 'It would take huge computing power and advanced knowledge, which even most government agencies don't have,' Mr Ismail said. 'Instead, hackers usually go after easier targets, like hacking into your phone, sending fake links, or using spyware.' Technical flaws and metadata risks Subho Halder, chief executive and co-founder of Appknox, a security platform, noted that WhatsApp's encryption protocol, the Signal Protocol, is considered the gold standard in secure messaging. 'WhatsApp's end-to-end encryption remains mathematically unbreakable with today's technology,' Mr Halder told The National. However, a recent scan of WhatsApp's latest Android build (v2.25.9.78) by Appknox uncovered several critical and high-severity implementation flaws, including insecure network configurations, hardcoded secrets and potential file access vulnerabilities. 'These don't break encryption directly, but they expose sensitive data through poor engineering practices,' he added. 'The real risk often lies not in the cryptography, but in how securely it's implemented.' He added that other vectors remain concerning. 'WhatsApp does not encrypt metadata, like who messaged whom, when and for how long, which can still be revealing even without access to the message content,' Mr Halder said. He noted that cloud backups, while now optionally encrypted, have previously posed security risks. Regional distrust The renewed concern over WhatsApp's vulnerability comes amid broader distrust in Meta in the Middle East. Last year, the firm updated its hate speech guidelines to restrict posts referencing Zionists, saying the term was frequently used in way to dehumanise Jews and Israelis. However, researchers and rights groups argue this change has led to the suppression of political speech, especially from pro-Palestinian voices. Meta has been accused of 'shadow-banning' Arabic or Palestine-related content, and Human Rights Watch documented more than 1,000 instances of post removals or demotions on Facebook and Instagram in October and November last year. Wider context in Iran Iran's call to delete WhatsApp is not unprecedented. The app was blocked during nationwide protests in 2022 following the death of Mahsa Amini in police custody. Although the ban was lifted late last year, the government maintains tight control over digital communication and platforms like WhatsApp are widely used via virtual private networks (VPNs). WhatsApp is one of Iran's most popular messaging apps, along with Instagram and Telegram.

Middle East Eye

a day ago

• Middle East Eye

Iran: Jailed women activists issue letter condemning Israeli attacks

Four jailed women activists in Iran have issued a letter from prison condemning Israel's attacks on the country and warning against relying on "foreign powers" for regime change. Golrokh Ebrahimi Iraee, Verisheh Moradi, Sakineh Parvaneh and Reyhaneh Ansarinejad issued the letter, published by the pro-Kurdish Firat News Agency, from Evin prison in Tehran. They accused Israel of committing genocide in Gaza and said its goal was to create a "weak and submissive" Middle East. "Our the dictatorship ruling the country is possible through the struggle of the masses and by resorting to social forces - not by clinging to foreign powers or placing hopes in them," they wrote. "The powers that have always brought destruction to the countries of the region through exploitation and colonisation, by inciting wars and killing in pursuit of greater benefits, will have no way out for us except for new destruction and exploitation." New MEE newsletter: Jerusalem Dispatch Sign up to get the latest insights and analysis on Israel-Palestine, alongside Turkey Unpacked and other MEE newsletters The authors of the letter are currently serving jail sentences over their involvement in a range of causes including pro-Kurdish campaigning and union organising. Moradi, a campaigner with the Community of Free Women of Eastern Kurdistan (KJAR) who fought against the Islamic State group in Syria, is facing a death sentence for "armed rebellion" over her support of the Woman, Life, Freedom demonstrations that broke out in 2022 over the death of Kurdish woman Mahsa Amini. 'Future generations will remember with shame those who stand on the corpses of defenceless people and trample them' - letter from Iranian women prisoners The other three are currently serving sentences of between four and six years in prison. Much of the Iranian opposition has been split over Israel's attack on Iran, which began earlier this week and has seen hundreds killed. Some such as Reza Pahlavi, son of the former ruler of the country prior to 1979, have actively supported the air strikes and branded them the "best opportunity" to be rid of the Islamic Republic. Others, such as former political prisoner Narges Mohammadi and filmmaker Jafar Panahi have condemned the air strikes on Iran while also advocating an end to Iran's nuclear ambitions and the "resignation of the current leaders" of the country. In their letter, the four activists made apparent reference to those supporting Israel's attacks on the country, branding them "traitors" to Iran. "Traitors to Iran and traitors to the peoples of the Middle East and traitors to the people's years of freedom-seeking struggles against oppression will know that their betrayal and disdain will be recorded in the memory of the Iranian people and in history," they wrote. "Future generations will remember with shame those who stand on the corpses of defenceless people and trample them."