ESET Research links BladedFeline to OilRig APT group as new tools Whisper and PrimeCache emerge in Operation RoundPress
ESET researchers have uncovered a major cyber-espionage campaign by BladedFeline, an Iran-aligned threat group targeting high-ranking officials in Iraq and the Kurdish region. The operation deployed an arsenal of custom-built tools designed for persistence and stealth, signaling a strategic push to maintain long-term access to sensitive government systems.
The investigation revealed two reverse tunneling utilities—Laret and Pinar—alongside supplementary tools, a custom backdoor named Whisper, and a malicious IIS module dubbed PrimeCache. These discoveries underscore BladedFeline’s growing sophistication and its alignment with broader Iranian cyber objectives.
Whisper and PrimeCache: New Weapons in the Arsenal
Whisper operates by logging into compromised Microsoft Exchange webmail accounts and communicating with attackers via email attachments—a tactic that blends into normal traffic to evade detection. PrimeCache, a malicious IIS module, functions as a backdoor and shares code similarities with RDAT, previously attributed to the OilRig APT group.
“BladedFeline’s evolving toolkit shows a clear intent: persistent, stealthy access to high-value government networks in Iraq and Kurdistan.”
Based on these overlaps and additional evidence, ESET assesses with high confidence that BladedFeline is a subgroup within OilRig, an Iran-aligned advanced persistent threat actor known for targeting governments and businesses across the Middle East.
Strategic Targets and Regional Motives
BladedFeline’s objectives appear clear: sustained access to government networks for intelligence gathering. The group has previously compromised Kurdish diplomatic officials using its Shahmaran backdoor in 2023 and continues to exploit regional vulnerabilities. Recent activity includes targeting a telecommunications provider in Uzbekistan and expanding operations within Iraqi government entities.
Why these targets? Analysts point to Kurdistan’s diplomatic ties with Western nations and its vast oil reserves—factors that make it a prime focus for Iranian cyber-espionage. In Iraq, the campaign likely aims to counter Western influence following years of geopolitical tension.
A Persistent Threat Since 2017
BladedFeline has been active since at least 2017, when it infiltrated systems within the Kurdistan Regional Government. It is not the only OilRig subgroup under ESET’s watch. Another faction, Lyceum (also known as HEXANE or Storm-0133), focuses on Israeli organizations, including government and healthcare sectors. Together, these groups reflect a coordinated effort to advance Iran’s strategic interests through cyber operations.
ESET expects BladedFeline to continue refining its implants and expanding its victim set. The group’s emphasis on stealth and persistence suggests that future campaigns will leverage even more advanced techniques to bypass defenses.
Implications for Regional Security
The latest findings highlight the urgent need for governments and enterprises to strengthen cyber resilience. Embedding proactive security measures, monitoring for anomalous activity, and implementing robust incident response plans are critical to countering APT threats. As geopolitical tensions persist, cyber-espionage will remain a preferred tool for state-aligned actors seeking influence without direct confrontation.
