BladedFeline

Also known as: BladedFeline

BladedFeline is an Iran-aligned APT group that has been active since at least 2017, targeting Iraqi and Kurdish government officials for cyberespionage. The group employs a variety of tools, including the Shahmaran backdoor, Whisper, and PrimeCache, which is a malicious IIS module. BladedFeline utilizes techniques such as spearphishing (T1566), exploiting public-facing applications (T1190), and timestomping to maintain access and exfiltrate data. The group is assessed with medium confidence to be a subgroup of OilRig, focusing on strategic access to high-ranking officials in the region.

🌍 Country Iran

Introduction

BladedFeline is an Iran-aligned APT group that has been active since at least 2017, targeting Iraqi and Kurdish government officials for cyberespionage. The group employs a variety of tools, including the Shahmaran backdoor, Whisper, and PrimeCache, which is a malicious IIS module. BladedFeline utilizes techniques such as spearphishing (T1566), exploiting public-facing applications (T1190), and timestomping to maintain access and exfiltrate data. The group is assessed with medium confidence to be a subgroup of OilRig, focusing on strategic access to high-ranking officials in the region.

Activities and Tactics

Country of Origin: 🇮🇷 Iran

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • Backdoor.Oldrea
  • CyberGate
  • Cyber Eye RAT
  • Xploit

Attribution and Evidence

Country of Origin: Iran Additional attribution information pending cataloguing.

References

References pending cataloguing.