BladedFeline: Iran-Aligned APT Group Expands Arsenal With Whisper and PrimeCache

In a detailed expose released by ESET, researchers unveiled a sophisticated and persistent cyberespionage campaign by an Iran-aligned APT group dubbed BladedFeline, a suspected subgroup of the notorious OilRig (APT34). The targets are high-ranking officials in the Kurdistan Regional Government (KRG), the Government of Iraq (GOI), and a telecommunications provider in Uzbekistan.

“BladedFeline has worked consistently to maintain illicit access to Kurdish diplomatic officials, while simultaneously exploiting a regional telecommunications provider in Uzbekistan,” ESET states.

ESET’s report introduced two major tools from the group’s expanding toolkit:

Whisper: The Stealthy Backdoor

This .NET-based malware communicates using compromised Microsoft Exchange accounts, embedding encrypted commands and responses in email attachments. Once deployed via its dropper “Protocol.pdf.exe,” Whisper installs itself with a configuration that allows it to:

• Create inbox rules for command-and-control traffic.
• Decrypt and execute PowerShell scripts sent as attachments.
• Exfiltrate command results back to the attacker via email.

“Whisper’s operation is not the first time we have observed an OilRig subgroup using cloud services for its C&C protocol.” ESET states.

PrimeCache: The Malicious IIS Module

Acting as a passive backdoor, PrimeCache is an IIS web server module that processes specially-crafted cookies containing AES-encrypted commands. It supports command execution, file exfiltration, and uploading content—all without raising suspicion.

“Rather than accepting a backdoor command and all its parameters within a single HTTP request, each action is split into multiple requests,” ESET notes.

PrimeCache’s code strongly resembles OilRig’s RDAT malware, sharing both encryption routines and core command-execution functions.

ESET’s technical attribution is based on:

• Whisper, PrimeCache, and other tools were uploaded to VirusTotal by the same Iraqi user.
• Whisper samples were found in compromised GOI systems.
• PrimeCache’s structure and encryption mirror those used in OilRig’s past tools like RDAT.
• Shared PDB paths and payload patterns provide further correlation.

“We believe with medium confidence that BladedFeline is a subgroup of OilRig,” ESET states.

BladedFeline’s arsenal shows a layered architecture:

• Whisper Protocol: Drops and configures Whisper with persistence.
• Laret & Pinar: .NET-based reverse tunnels using SSH.
• Hawking Listener: A lightweight command executor over HTTP.
• P.S. Olala: Executes PowerShell payloads like Whisper or tunnels.

Their approach reflects modular, resilient C2 communications—combining email, IIS web servers, and reverse tunnels.

BladedFeline’s primary motivation is cyberespionage. According to ESET, its focus on government officials, diplomatic communications, and regional infrastructure suggests geopolitical intent:

“The KRG’s diplomatic relationship with Western nations, coupled with the oil reserves in the Kurdistan region, makes it an enticing target.”

Related Posts:

• Cyber-Espionage Campaign Unveiled: Operation Cobalt Whisper Hits Sensitive Industries
• Türkiye-Linked Hackers Exploit Output Messenger Zero-Day (CVE-2025-27920) in Espionage Campaign
• C&C in the Clouds: OilRig Group Hijacks Microsoft Services for Espionage
• CVE-2024-30088 Under Attack: OilRig Targets Windows Kernel Vulnerability
• APT group OilRig targets Middle Eastern countries