BladedFeline targets Kurdish officials in cyber espionage campaign

ESET researchers uncover the years-long campaign

On June 5, 2025, ESET researchers revealed^[1] a long-running cyber-espionage campaign by BladedFeline, an Iran-aligned advanced persistent threat (APT) group likely linked to OilRig. Active since at least 2017,^[2] BladedFeline has targeted Kurdish and Iraqi government officials, aiming to steal sensitive information.

The group first caught attention in 2023 when it used a backdoor called Shahmaran against Kurdish diplomatic officials, showing its focus on the Kurdistan Regional Government (KRG). Since then, it has expanded its attacks to include Iraq’s central government and even a telecommunications provider in Uzbekistan.

BladedFeline uses a range of custom tools to stay hidden and maintain access. Its arsenal includes two tunneling tools, Laret and Pinar, which help it move data secretly, and a malicious Internet Information Services (IIS) module called PrimeCache, which acts as a backdoor.

Another key tool is the Whisper backdoor, which communicates through email attachments via compromised Microsoft Exchange webmail accounts. This method helps the group avoid detection by blending with normal email traffic, as ESET researchers noted:

Whisper logs into a compromised webmail account on a Microsoft Exchange server and communicates with its operators via email attachments that contain its configuration and commands.

The group’s tools show similarities to those used by OilRig,^[3] a known Iranian APT group. For example, PrimeCache shares code with OilRig’s RDAT backdoor,^[4] suggesting BladedFeline might be a subgroup of OilRig. The campaign, dubbed Operation RoundPress by ESET, reflects Iran’s strategic interest in the region, likely driven by the KRG’s ties to Western nations and the area’s oil reserves.

Why BladedFeline’s attacks are a growing concern

BladedFeline’s attacks are alarming because of their stealth and persistence. The group has maintained access to some KRG systems for over eight years, showing its ability to stay undetected for long periods. In Iraq, it likely exploited vulnerabilities in internet-facing web servers to gain access, using a webshell called Flog to keep control.

This focus on high-ranking officials suggests BladedFeline aims to gather diplomatic and financial intelligence, possibly to influence regional politics or counter Western influence.^[5]

The dynamic collection arsenal of the group adds to the challenge. Tools like Whisper and PrimeCache use advanced techniques of evading detection, such as encrypting their traffic and using legitimate services. ESET researchers characterized:

PrimeCache is a passive backdoor that monitors incoming HTTP requests for a predefined cookie header structure, which it uses to process commands issued by the attacker and exfiltrate files

Such intelligence makes ESET hard for traditional security controls to detect, elevating the danger for target organizations.

BladedFeline's activities also serve larger cyber-espionage trends. Iran-aligned groups are increasingly active in the Middle East, as often as not targeting governments and critical sectors like telecommunications. This aligns with OilRig's model of targeting strategic industries, so it would therefore stand to reason that BladedFeline shares the same goal of advancing Iran's geopolitics.

How to stay safe from BladedFeline’s threats

Protecting against BladedFeline requires strong cybersecurity practices. Organizations should monitor their networks for unusual activity, especially on internet-facing servers, and keep software updated to block known vulnerabilities.

Using advanced antivirus solutions can help detect tools like Whisper or PrimeCache, which rely on stealth to operate. Regular security audits are also essential to find and remove any hidden backdoors or webshells.

For businesses in sensitive sectors, knowing which applications are in use (especially by high-value staff) is key. BladedFeline often targets specific individuals, so training employees to recognize phishing attempts or suspicious emails can reduce risks.

If a system is compromised, disconnecting it from the internet and running a full scan can help limit damage. As BladedFeline continues to refine its tools, staying proactive and informed is the best defense against this persistent threat.