ESET Research<p><a href="https://infosec.exchange/tags/ESETresearch" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ESETresearch</span></a> analyzed a campaign deployed by BladedFeline, an Iran-aligned threat actor with likely ties to <a href="https://infosec.exchange/tags/OilRig" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OilRig</span></a>. We discovered the campaign, which targeted Kurdish and Iraqi government officials, in 2024. <a href="https://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">welivesecurity.com/en/eset-res</span><span class="invisible">earch/bladedfeline-whispering-dark/</span></a> <br>BladedFeline, a cyberespionage group active since at least 2017, develops malware for strategic access within the Kurdistan Regional Government and the government of Iraq. We discovered BladedFeline in 2023 after it targeted Kurdish officials with the <a href="https://infosec.exchange/tags/Shahmaran" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Shahmaran</span></a> backdoor. <br>The systems compromised in the latest campaign contained the <a href="https://infosec.exchange/tags/Whisper" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Whisper</span></a> backdoor, a malicious IIS module <a href="https://infosec.exchange/tags/PrimeCache" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PrimeCache</span></a>, two reverse tunnels, and several supplementary tools. Whisper uses <a href="https://infosec.exchange/tags/MicrosoftExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>MicrosoftExchange</span></a> server to communicate with the attackers via email attachments. <br>We believe with medium confidence that BladedFeline is a subgroup of OilRig, an 🇮🇷-based APT group also known as APT34 or Hazel Sandstorm. <br>First, there were OilRig tools present in the systems compromised in this campaign. BladedFeline’s PrimeCache also shares code similarities with OilRig’s <a href="https://infosec.exchange/tags/RDAT" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>RDAT</span></a> backdoor. Moreover, as does OilRig, BladedFeline targets organizations in the Middle East.<br>IoCs will be available in our GitHub repo: <a href="https://github.com/eset/malware-ioc/tree/master/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">github.com/eset/malware-ioc/tr</span><span class="invisible">ee/master/</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
eupolicy.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
This Mastodon server is a friendly and respectful discussion space for people working in areas related to EU policy. When you request to create an account, please tell us something about you.
Administered by:
Server stats:
225active users
eupolicy.social: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.8
#primecache
0 posts · 0 participants · 0 posts today
Europe Says<p><a href="https://www.europesays.com/2137357/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">europesays.com/2137357/</span><span class="invisible"></span></a> Iran-aligned BladedFeline spies on Iraqi and Kurdish <a href="https://pubeurope.com/tags/BackdoorWhisper" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BackdoorWhisper</span></a> <a href="https://pubeurope.com/tags/Conflicts" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Conflicts</span></a> <a href="https://pubeurope.com/tags/CyberEspionage" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberEspionage</span></a> <a href="https://pubeurope.com/tags/ESET" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ESET</span></a> <a href="https://pubeurope.com/tags/Iran" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Iran</span></a> <a href="https://pubeurope.com/tags/IranAligned" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IranAligned</span></a> <a href="https://pubeurope.com/tags/llc" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>llc</span></a> <a href="https://pubeurope.com/tags/OilRig" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OilRig</span></a> <a href="https://pubeurope.com/tags/OperationRoundpress" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OperationRoundpress</span></a> <a href="https://pubeurope.com/tags/PrimeCache" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PrimeCache</span></a> <a href="https://pubeurope.com/tags/ThreatActors" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatActors</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload