Inside BladedFeline, OilRig-linked email backdoor ops

ESET researchers uncovered an Iran-aligned APT dubbed BladedFeline actively spying on Kurdish and Iraqi government officials and a regional telco in Uzbekistan. Active since at least 2017, the group has expanded its toolkit and, with medium confidence, is assessed as a subgroup of OilRig based on code overlaps, shared tooling, and targeting.

What ESET found

• Long-running access to Kurdish diplomatic entities and high-ranking officials in Iraq, plus activity against a telco in Uzbekistan
• Signature implants: Whisper (email-based backdoor) and PrimeCache (malicious IIS module), plus reverse tunnels Laret and Pinar and multiple post-compromise utilities
• Clear ties to OilRig: OilRig tools (RDAT, VideoSRV) were present on KRG systems; PrimeCache shares unique code patterns with OilRig’s RDAT

How the key implants work

• Whisper backdoor: Communicates via compromised Microsoft Exchange webmail. Creates or uses inbox rules (for example, subject contains PMO), beacons roughly every 10 hours, fetches operator commands hidden in email attachments, and exfiltrates results via reply emails. Uses AES for command encryption; supports PowerShell execution, file upload/download, and on-disk writes.
• PrimeCache IIS module: A native IIS backdoor that listens for operator commands embedded in HTTP cookie headers. It caches parameters across multiple requests, then executes commands. Supports command execution (r/r2/r3), file upload (u), and data exfiltration (d). Uses RSA and AES-CBC (Crypto++) and mirrors distinctive parsing and a unique command-exec routine seen in OilRig’s RDAT.
• Laret and Pinar reverse tunnels: .NET SSH-based port forwarders using Renci.SshNet, with base64 and hex-encoded configs. Pinar installs as a service for persistence; both can run a local cleartext listener and execute a specified process before tunneling.
• Other tools: Shahmaran (simple C2 backdoor used for access maintenance), Slippery Snakelet (Python backdoor with cmd/file ops), Flog (ASP.NET webshell gated by MD5-hashed password), Hawking Listener (HTTP command listener), P.S. Olala (service to run PowerShell scripts), and Sheep Tunneler (custom tunneler).

Timeline highlights

• 2017–2018: VideoSRV reverse shell and OilRig’s RDAT backdoor on KRG systems
• 2023: Shahmaran deployed; Slippery Snakelet and P.S. Olala observed; expansion to Uzbekistan telco
• 2024: Whisper and PrimeCache discovered; Laret and Pinar appear; multiple samples uploaded to VirusTotal from Iraq

Attribution and intent

• Target set, tool reuse, and code commonalities suggest BladedFeline is an OilRig subgroup (ESET also tracks separate OilRig subgroup Lyceum)
• Likely cyberespionage: sustained, strategic access to KRG and GOI to monitor regional politics, energy interests, and diplomatic ties

Tactics, techniques, and procedures

• Initial access: likely exploitation of public-facing apps; webshell placement on IIS
• Persistence: Windows services, startup folder shortcuts, IIS module loading
• Defense evasion: timestomping, use of valid email accounts, base64/AES obfuscation
• Credential access: LSASS dumping
• C2 and exfiltration: email-based C2 via Exchange, HTTP(S) traffic on IIS, SSH port forwarding

Selected infrastructure and IOCs

• Distribution server for Laret: 178.209.51[.]61
• Shahmaran C2 domain: olinpa[.]com

Bottom line: BladedFeline continues to iterate on a versatile toolset that blends living-off-the-land techniques (email and IIS) with custom backdoors and tunnels, enabling quiet, durable access across Kurdish and Iraqi government networks.

Source: WeLiveSecurity