The hacking groups lined up in Iran are attributed to a new set of cyberattacks targeting Kurdish and Iraqi government officials in early 2024.
Activities are associated with threat group ESET tracks Blade Ferrinrated with moderate confidence to become a subcluster within the oil rig, known cyber actors of Iranian nation-states. It is said to have been active since September 2017, when it targeted officials related to the Kurdistan Regional Government (KRG).
“The group is developing malware to maintain and expand access within Iraq and KRG organizations,” Slovak Cybersecurity Company said in a technical report shared with Hacker News.
“Bladeferin has consistently worked to maintain illegal access to Kurdish diplomats, while simultaneously using local telecommunications providers in Uzbekistan to develop and maintain access to Iraqi government officials.”
BladedFeline was first documented by ESET as part of its APT activity report in May 2024, detailing enemy attacks on government organisations from the Kurdistan region of Iraq and targeting Uzbekistan mail order companies that they compromised in May 2022.
The group was discovered in 2023 following an attack targeting Kurdish diplomats using Shahmaran, a simple backdoor that checks in on a remote server, runs commands provided by the operator of an infected host to upload or download files, request specific file attributes, and provides file and directory manipulation APIs.
Then last November, the cybersecurity company said it had observed attacks on Iranian neighbours, particularly hacking crews against Iraq’s regions and government agencies, as well as diplomatic missions from Iraq to various countries.
“Bladedfeline invests heavily in the collection of diplomatic and financial information from Iraqi organisations, indicating that Iraq plays a major role in the Iranian government’s strategic goals,” ESET said in November 2024.
The exact initial access vector used to enter the victims of KRG is unknown, but it is suspected that threat actors will likely leverage vulnerabilities in their internet-oriented applications to infiltrate Iraqi government networks and deploy a frog webshell to maintain permanent remote access.
 |
| How the Whisperback Door works |
The wide range of backdoors highlight Bladeferrin’s commitment to refine the malware Arsenal. Whisper logs in to a compromised webmail account on Microsoft Exchange Server and communicates with the attacker via email attachments, C#/. It’s a net back door. Spearal is a .NET backdoor that uses DNS tunnels for command and control communications.
“The optimizer is a repetitive update of the spear backdoor. It uses the same workflow and offers the same functionality. The main difference between the spear and the optimizer is mainly cosmetics,” an ESET research team told Hacker News.
Some attacks observed in December 2023 also include the deployment of a Python implant called a slippery snikelet with limited functionality to execute commands via “cmd.exe”.
Despite the backdoor, BladedFeline is noteworthy for using various tunneling tools Laret and Pinar to maintain access to the target network. We also use a malicious IIS module called Primecache. ESET said there is similarity to the RDAT backdoor used by OilRig Apt.
A passive backdoor, Primecache works by focusing on contained HTTP requests that match predefined cookie header structures to process commands issued by attackers and issued by files.
This aspect, coupled with the fact that OilRig’s two tools (RDAT and Reverse Shell CodeNayed VideoSRV) were discovered in the KRG systems that we compromised in September 2017 and September 2018, respectively, suggests that BladedFeLine may be a subgroup within Oilrig, but it differs from the range of subusters in Lyceum-subruster.
Additionally, oil rig connections have been strengthened with reports from the September 2024 checkpoint. This led to infiltrating a network of Iraqi government networks and pointing fingers at Iranian hacking groups to infect whispers and spears using the possibilities of social engineering.
ESET said it had identified a malicious artifact named Hawking Listener that was uploaded to the Baltotal platform by the same party that uploaded the Frog in March 2024. The Hawking Listener runs the command via “cmd.exe” with an early stage implant that listens to the specified port.
“Bladedfeline targets KRG and GOI for cyberspy purposes and is looking to maintain strategic access to senior officials from both government agencies,” the company concluded.
“KRG’s diplomatic ties with Western countries, coupled with oil reserves in the Kurdistan region, have become an attractive target for Iranian-aligned threat actors to spy on and potentially manipulate.
