ESET discovers new cyber-espionage campaign

ESET discovers new cyber-espionage campaign

ESET researchers discovered that the Iran-aligned threat group BladedFeline has targeted Kurdish and Iraqi government officials in a recent cyber-espionage campaign. The group deployed a range of malicious tools discovered within the compromised systems, indicating a continued effort to maintain and expand access to high-ranking officials and government organizations in Iraq and the Kurdish region. The latest campaign highlights BladedFeline’s evolving capabilities, featuring two tunneling tools (Laret and Pinar), various supplementary tools, and, most notably, a custom backdoor Whisper and a malicious Internet Information Services (IIS) module PrimeCache, both identified and named by ESET.

Whisper logs into a compromised webmail account on a Microsoft Exchange server and uses it to communicate with the attackers via email attachments. PrimeCache also serves as a backdoor: it is a malicious IIS module. PrimeCache also bears similarities to the RDAT backdoor used by OilRig Advanced Persistent Threat (APT) group.

Based on these code similarities, as well as on further evidence presented in this blogpost, ESET assesses that BladedFeline is a very likely subgroup of OilRig, an Iran-aligned APT group going after governments and businesses in the Middle East. The initial implants in the latest campaign can be traced back to OilRig. These tools reflect the group’s strategic focus on persistence and stealth within targeted networks.

BladedFeline has worked consistently to maintain illicit access to Kurdish diplomatic officials, while simultaneously exploiting a regional telecommunications provider in Uzbekistan, and developing and maintaining access to officials in the government of Iraq.

ESET Research assesses that BladedFeline is targeting the Kurdish and Iraqi governments for cyberespionage purposes, with an eye toward maintaining strategic access to the computers of high-ranking officials in both governmental entities. The Kurdish diplomatic relationship with Western nations, coupled with the oil reserves in the Kurdistan region, makes it an enticing target for Iran-aligned threat actors to spy on and potentially manipulate. In Iraq, these threat actors are most probably trying to counter the influence of Western governments following the US invasion and occupation of the country.

In 2023, ESET Research discovered that BladedFeline targeted Kurdish diplomatic officials with the Shahmaran backdoor, and previously reported on its activities in ESET APT Activity reports. The group has been active since at least 2017, when it compromised officials within the Kurdistan Regional Government, but is not the only subgroup of OilRig that ESET Research is monitoring. ESET has been tracking Lyceum, also known as HEXANE or Storm-0133, as another OilRig subgroup. Lyceum focuses on targeting various Israeli organizations, including governmental and local governmental entities and organizations in healthcare.

ESET expects that BladedFeline will persist with implant development in order to maintain and expand access within its compromised victim set for cyberespionage.

 

Dormant accounts can be a big risk

Dormant accounts can be a big risk

Phil Muncaster, guest writer for ESET, cautions that long-forgotten online accounts could pose…
Deepfakes threating corporates now

Deepfakes threating corporates now

Jim Richberg, Head of Cyber Policy and Global Field CISO at Fortinet,…
Protect Yourself from Online Betting Scams

Protect Yourself from Online Betting Scams

Phil Muncaster, guest writer at ESET, emphasizes don’t roll the dice…
Push Security secures $30 million Series B funding

Push Security secures $30 million Series B funding

Push Security, a pioneer in detecting and responding to modern identity attacks…
Pemo enters Saudi Arabia in partnership with neoleap

Pemo enters Saudi Arabia in partnership with neoleap

Pemo, the all-in-one spend management platform, has officially launched…
TruBuild raises $1 million to enhance its AI platform

TruBuild raises $1 million to enhance its AI platform

TruBuild, the AI-powered construction technology startup focused on preventing delays and unexpected…