Full Report
Iran-aligned BladedFeline group has been observed targeting the government of Iraq and KRG with advanced malware
Analysis Summary
# Threat Actor: BladedFeline
## Attribution & Identity
* **Attribution:** Iran-aligned threat group.
* **Known Aliases:** BladedFeline (designation used by researchers, e.g., ESET).
* **Associations:** Linked to a long-running cyber-espionage campaign originating from Iran.
## Activity Summary
* The group has been active since at least 2017, with significant evolution in its toolset observed recently.
* The current campaign is focused on cyber-espionage against government entities.
* The primary targets identified are governments in Iraq and the Kurdistan Regional Government (KRG).
## Tactics, Techniques & Procedures
* **Stealth and Persistence:** Employing sophisticated malware designed for covert persistence.
* **Command and Control (C2) via Email:** Using legitimate Microsoft Exchange webmail accounts to receive attacker commands and exfiltrate data via attached emails.
* **Server-Side Backdoors:** Deploying malicious Internet Information Services (IIS) modules (*PrimeCache*) to hide malicious activity within legitimate web server processes.
* **Data Exfiltration:** Utilizing email attachments for data exfiltration.
* **Evasion:** Using encrypted communication methods to evade detection.
* **Post-Compromise Activities:** Deploying reverse tunnel tools and other post-compromise utilities.
* *Note: Specific MITRE ATT&CK IDs were not present in the source text.*
## Targeting
* **Sectors:** Government entities.
* **Geography:** Middle East, specifically Iraq and the Kurdistan Regional Government (KRG).
* **Victims:** Government organizations in Iraq and the KRG.
## Tools & Infrastructure
* **Malware Families:**
* **Whisper:** A newly discovered backdoor leveraging Microsoft Exchange webmail for C2 and exfiltration.
* **PrimeCache:** A malicious IIS module (server-based backdoor).
* **Laret:** Reverse tunnel tool deployed.
* **Pinar:** Reverse tunnel tool deployed.
* **Infrastructure:**
* Relies heavily on compromised or controlled **Microsoft Exchange webmail accounts** for C2 communication.
## Implications
This actor poses a significant threat to regional stability and government operations in the Middle East due to its long operational history, focus on high-value government targets, and adoption of sophisticated, low-and-slow TTPs (like using webmail for C2) designed specifically to bypass traditional security controls and maintain long-term persistence.
## Mitigations
* Implement rigorous monitoring of webmail accounts (especially Exchange servers) for unusual outbound attachments and data egress patterns.
* Audit IIS logs and server processes for signs of illegitimate module loading or suspicious activity concealed within trusted web services.
* Enhance network traffic analysis to detect encrypted communications that may indicate covert C2 channels or data tunneling (Laret/Pinar activity).
* Ensure robust endpoint detection and response (EDR) is in place to detect behavior indicative of process hollowing or injection associated with covert server-side backdoors.