#ESETresearch analyzed a campaign deployed by BladedFeline, an Iran-aligned threat actor with likely ties to #OilRig. We discovered the campaign, which targeted Kurdish and Iraqi government officials, in 2024. https://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/
BladedFeline, a cyberespionage group active since at least 2017, develops malware for strategic access within the Kurdistan Regional Government and the government of Iraq. We discovered BladedFeline in 2023 after it targeted Kurdish officials with the #Shahmaran backdoor.
The systems compromised in the latest campaign contained the #Whisper backdoor, a malicious IIS module #PrimeCache, two reverse tunnels, and several supplementary tools. Whisper uses #MicrosoftExchange server to communicate with the attackers via email attachments.
We believe with medium confidence that BladedFeline is a subgroup of OilRig, an 🇮🇷-based APT group also known as APT34 or Hazel Sandstorm.
First, there were OilRig tools present in the systems compromised in this campaign. BladedFeline’s PrimeCache also shares code similarities with OilRig’s #RDAT backdoor. Moreover, as does OilRig, BladedFeline targets organizations in the Middle East.
IoCs will be available in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/

OilRig APT Drills into Malware Innovation with Unique Backdoor - The RDAT tool uses email as a C2 channel, with attachments that hide data and commands inside imag... more: https://threatpost.com/oilrig-apt-unique-backdoor/157646/ #steganography #helixkitten #c2channel #backdoor #paloalto #malware #oilrig #unit42 #apt34 #email #irán #rdat #apt