BladedFeline, believed to be part of a larger Iranian-linked cyber network, has stepped up its effort in 2024, targeting figure within both Kurdish and Iraqi officials. Tracing back to at least 2017, the group originally set its sights on the Kurdistan Regional Government. More recent efforts appear to have expanded into Iraq’s diplomatic and government sectors, with signs of probing activity in Azerbaijain and even a telecom firm in Uzbekistan.
According to ESET, which tracks BladedFeline’s exertion, the group has developed a range of custom malware to help them quietly remains inside compromised networks for extended periods. Among their tools are Shahmaran, Whisper, Spearal, Optimizer, and Slippery Snakelet-backdoors that let them run commands remotely, steal information, and communicate covertly using DNS tunneling or hijacked email systems.
They also deploy tunneling utilities like Laret and Pinar, along with a passive IIS module known as PrimeCache that listens for specially crafted HTTP requests to leak stolen data. Analysts have also found signs of RDAT and VideoSRV-malware previously associated with OilRig, on KRG infrastructure, adding further weight to BladedFeline’s suspected connection to Iran-linked cyber operations.
How the attackers first got in isn’t fully known, though it’s suspected they took advantage of exposed online applications. Their operations seem aimed at collecting sensitive intelligence-especially around Iraq’s foreign relations and energy assets like oil, while also pushing back against western presence in the region.
ESET believes BladedFeline is intent on staying under the radar within high-level government systems in both the Kurdistan Regional Government and the boarder Iraqi administration, enabling long-term surveillance and intelligence-gathering.
