Iranian group BladedFeline attacks Iraq and Kurdistan with Whisper, Spearal, and PrimeCache backdoors

Government structures in Iraq and the Kurdistan Region have been targeted by a new wave of cyberespionage attacks linked to the BladedFeline group, a subcluster of the Iranian APT group OilRig. The goal is to gain long-term access to diplomats and government structures through a complex network of backdoors and tunneling.

ESET has linked the BladedFeline group to recent attacks on officials in Iraq and the Kurdistan Region of Iraq (KRG). In particular, the use of new malware was detected – Whisper, Spearal, Optimizer and the Python implant Slippery Snakelet, as well as PrimeCache – a backdoor in the form of a module for the IIS server.

• Whisper communicates with hackers via Microsoft Exchange mail, Spearal – via DNS tunnels. Optimizer – an updated version of Spearal. PrimeCache passively waits for HTTP requests with special cookies, allowing attackers to transmit commands and upload files.
• BladedFeline also uses the Laret and Pinar tools for network tunneling, and a new Hawking Listener artifact uploaded to VirusTotal in March 2024 indicates further improvements to their implants.

BladedFeline was first detected in 2017 during attacks on the KRG, and in 2023–2024 it became more active, using its own backdoors in government networks in Iraq, Azerbaijan, and even Uzbekistan’s telecom networks. A number of their tools coincide with those used by the OilRig group, which has been linked to Iranian structures for many years.

BladedFeline is not just an APT group, but part of Iran’s state mechanism for cyber surveillance and control of the region. Its focus on Iraq and Kurdistan is explained by strategic interests: influence on politics, diplomacy, and access to oil resources. In today’s cyberspace, even the smallest backdoors become a tool of global pressure.