Iranian APT 'BladedFeline' Hides in Network for 8 Years - Dark Reading

THREAT INTELLIGENCE CYBERATTACKS & DATA BREACHES IDENTITY & ACCESS MANAGEMENT SECURITY VULNERABILITIES & THREATS NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific Iranian APT 'BladedFeline' Hides in Network for 8 Years ESET published research on the Iranian APT "BladedFeline," which researchers believe is a subgroup of the cyber-espionage entity APT34. Alexander Culafi,Senior News Writer,Dark Reading June 5, 2025 3 Min Read SOURCE: AGENCJA FOTOGRAFICZNA CARO VIA ALAMY STOCK PHOTO An Iranian cyber-espionage group hid in a target's network for nearly a decade before being detected. ESET published research today concerning "BladedFeline," an Iranian advanced persistent threat (APT) that researchers said targeted "systems used by Kurdish and Iraqi government officials" in a cyber-espionage campaign last year. The group has been active since at least 2017, and ESET said the group creates malware specifically "for maintaining and expanding access within organizations in Iraq and the KRG [Kurdistan Regional Government]." Traditionally, Iranian APTs have been deployed for espionage, power projection, and furthering the country's national strategy. Some APTs have also been observed conducting ransomware attacks. BladedFeline, which ESET said it discovered in 2023, fits into this mold. Today's research details how a state-backed actor gets its tendrils into an adversary's systems. Related:INC Ransomware Group Holds Healthcare Hostage in Oceania Inside a BladedFeline Campaign According to ESET, the group has been observed deploying a proprietary backdoor, referred to as "Shahmaran," against Kurdish officials. The researchers said the "simple" backdoor is a 64-bit executable, which doesn't use compression or encryption for communications, which they initially found in a target's Startup directory. "After checking in with the C&C server, the backdoor executes any operator commands provided, which include uploading and downloading additional files, requesting specific file attributes and providing file and directory manipulation API," the researchers said. ESET said it's unclear how BladedFeline gained initial access; in the case of KRG victims, it established access to a target network at least as far back as 2017 and has maintained it ever since. For Iraqi government victims, ESET suspects the group exploited a flaw in an internet-facing web server enabling web shell deployment. In addition to its proprietary Shahmaran backdoor, the research detailed BladedFeline's use of a backdoor called Whisper, a malicious Internet Information Services (IIS) module ESET calls "PrimeCache" that also serves as a backdoor, a reverse shell called "VideoSRV," PowerShell executors, multiple reverse tunnels, and much more. The timeline covered in the research stretches from September 2017 to March 2024. From its research, ESET assessed BladedFeline targeted Kurdistan and Iraq for espionage-related purposes, "with an eye toward maintaining strategic access to high-ranking officials in both governmental entities." "The KRG's diplomatic relationship with Western nations, coupled with the oil reserves in the Kurdistan region, makes it an enticing target for Iran-aligned threat actors to spy on and potentially manipulate," the report read. "In Iraq, these threat actors are most probably trying to counter the influence of Western governments following the US invasion and occupation of the country." Related:Chinese Cyber Threat Lurks In Critical Asian Sectors for Years Researchers also assessed with medium confidence that BladedFeline was a subgroup of "Oilrig," an Iranian cyber-espionage group also referred to as APT34 and Hazel Sandstorm. That's based on the discovery of code similarities between PrimeCache and OilRig's backdoor RDAT and the use of VideoSRV, which is an OilRig tool. ESET expects going forward "that BladedFeline will persist with implant development in order to maintain and expand access within its compromised victim set, likely for cyberespionage." The research includes indicators of compromise as well as further technical details. BladedFeline in Context An ESET researcher, who wished to remain anonymous because they did not want their name to appear in media reports, tells Dark Reading that compared to the broader spectrum of APT actors, BladedFeline is a moderately advanced group, as it develops its own tools that are of reasonably high quality. "We don't pick up on them right away like with do with many other Iranian-aligned APT groups," the researcher says. Related:LatAm Now Faces 2x More Cyberattacks Than US Most importantly, as stated, the group has maintained access to some Kurdish officials for eight years. From a defender standpoint, ESET recommends knowing which applications are in your network, particularly if they're being used by high-value targets or VIPs within your organization. "These particular implants that the BladeFeline group has developed are fairly stealthy in their network exfiltration paths," the ESET researcher tells Dark Reading. "They do a good job of hiding within normal traffic channels, so knowing what's out there from a network perspective is useful. And then when you combine that with knowing what applications are operating within your environment, you can get a pretty solid baseline for what good looks like and then identify deviations and anomalous behavior." Read more about: DR Global Middle East & Africa About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 THREAT INTELLIGENCE Trump Targets Krebs, Revokes SentinelOne Security Clearance by Kristina Beek, Associate Editor, Dark Reading APR 10, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE