ESET Discovers Iran-Aligned BladedFeline Spies on Iraqi and Kurdish Officials
ESET researchers discovered that the Iran-aligned threat group BladedFeline has targeted Kurdish and Iraqi government officials in a recent cyber-espionage campaign. The group deployed a range of malicious tools discovered within the compromised systems, indicating a continued effort to maintain and expand access to high-ranking officials and government organizations in Iraq and the Kurdish region. The latest campaign highlights BladedFeline's evolving capabilities, featuring two tunneling tools (Laret and Pinar), various supplementary tools, and, most notably, a custom backdoor Whisper and a malicious Internet Information Services (IIS) module PrimeCache, both identified and named by ESET.
Whisper logs into a compromised webmail account on a Microsoft Exchange server and uses it to communicate with the attackers via email attachments. PrimeCache also serves as a backdoor: it is a malicious IIS module. PrimeCache also bears similarities to the RDAT backdoor used by OilRig Advanced Persistent Threat (APT) group.
Based on these code similarities, as well as on further evidence presented in this blogpost, ESET assesses that BladedFeline is a very likely subgroup of OilRig, an Iran-aligned APT group going after governments and businesses in the Middle East. The initial implants in the latest campaign can be traced back to OilRig. These tools reflect the group's strategic focus on persistence and stealth within targeted networks.
BladedFeline has worked consistently to maintain illicit access to Kurdish diplomatic officials, while simultaneously exploiting a regional telecommunications provider in Uzbekistan, and developing and maintaining access to officials in the government of Iraq.
ESET Research assesses that BladedFeline is targeting the Kurdish and Iraqi governments for cyberespionage purposes, with an eye toward maintaining strategic access to the computers of high-ranking officials in both governmental entities. The Kurdish diplomatic relationship with Western nations, coupled with the oil reserves in the Kurdistan region, makes it an enticing target for Iran-aligned threat actors to spy on and potentially manipulate. In Iraq, these threat actors are most probably trying to counter the influence of Western governments following the US invasion and occupation of the country.
In 2023, ESET Research discovered that BladedFeline targeted Kurdish diplomatic officials with the Shahmaran backdoor, and previously reported on its activities in ESET APT Activity reports. The group has been active since at least 2017, when it compromised officials within the Kurdistan Regional Government, but is not the only subgroup of OilRig that ESET Research is monitoring. ESET has been tracking Lyceum, also known as HEXANE or Storm-0133, as another OilRig subgroup. Lyceum focuses on targeting various Israeli organizations, including governmental and local governmental entities and organizations in healthcare.
ESET expects that BladedFeline will persist with implant development in order to maintain and expand access within its compromised victim set for cyberespionage.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
The National
a day ago
- The National
The rise of GPS jamming - and why you may not be where your smartphone says you are
As tension between Iran and Israel reached a crescendo last week, people in countries throughout the Middle East reported their smartphones had changed time zones to that of Iran. Several people also noted that apps such as Snapchat and Instagram had changed their locations to Iran. Although impossible to prove, it is probably the result of Global Positioning Satellite jamming, also known as GPS spoofing. This is often used for defence and planning purposes, with opposing militaries or groups trying to disrupt signals sent by navigation and location-based systems to gain a strategic advantage. Iran and Israel have used GPS jamming in the past, and they or proxy groups could be to blame for the jamming. But with so many different entities trying to exert influence in the region at any given time, particularly in the latest conflict, it's almost impossible to figure out who was doing it this time. While the conflict appears to have ended with a US-orchestrated ceasefire, users are still reporting problems. And it is not just smartphone users who have noticed the glitch. According to maritime insights and data provider Windward, 'approximately 970 ships per day have experienced Global Positioning Satellite jamming in the Arabian Gulf and Strait of Hormuz' since Israel first attacked Iran about two weeks ago. In the shipping sector, the interruption of GPS data can mean costly delays that add up quickly. The International Air Transport Association and EU Aviation Safety Agency have sought in recent months to address the problem as it continues to occur around the world. But SandboxAQ, which works at the junction of quantum technology and artificial intelligence, says that GPS jamming shows no sign of slowing down. 'We've seen that as the geopolitical climate has evolved, the prevalence and severity of GPS interference has ramped massively," said Luca Ferrara, a manager for SandboxAQ's navigation business unit. "This has gone from a niche issue to a global one, and we've seen a commensurate increase in interest in our AQNav solution as a result." SandboxAQ's proprietary system provides an "unjammable" and "terrain agnostic" solution to the problem, the company says. Mr Ferrara said that the recent GPS jamming incidents in the Middle East, along with similar spoofing incidents affecting ships and aviation around the world, have piqued interest in his company's product. "We are accelerating our product introduction into the market to meet this urgent need," he told The National. Jack Hidary, chief executive at SandboxAQ, said that the increasingly prevalent problem of GPS jamming is of great concern in the context of civilian air travel safety, national security and overall defence. "Jamming is used as a weapon and as a tool to dominate airspace and dominate region and hegemony," he told The National. Mr Hidary said sometimes militaries will go as far as spoofing their own GPS, known as defensive jamming, as a way to confuse and possibly redirect incoming missiles. Offensive jamming, he said, involves spoofing other GPS systems to make it more difficult for countries or groups to position airplanes and drones. Mr Hidary said that GPS spoofing is mostly taking place in areas of Ukraine, Russia, the Arabian Gulf and the Indo-Pacific. He said the very things that make GPS so easily adopted across technology devices are the same things that make it so brittle and susceptible to jamming. "A high school student with the right tool can block or jam a GPS," he said. Homayoun Falakshahi, head of crude oil analysis at the Kpler data firm, said there may be several entities trying to spoof the GPS navigation systems and that their motives could differ. "Maybe it was the Iranians to make the passage around the Strait of Hormuz less safe, and in turn freight costs would increase and it would have another bullish impact on oil prices," he said during a panel discussion hosted by the Washington Institute. "Maybe it was the ship operators themselves because they didn't want their location to be seen by Iran, thinking they could get attacked." He noted that GPS spoofing could also cause ships to crash. Regardless of who is doing the GPS jamming, the inconveniences stemming from it are starting to add up. A Bahrain Reddit thread shows ample curiosity about the sudden appearance of Iran's time zone on smartphones. "I left the house a lot earlier than needed to this morning 'cause my phone time was wrong," wrote one user. "A friend's vehicle tracking system was showing his Bahrain truck on the west coast of Iran," said another Reddit user. On Facebook, there are also posts from smartphone users in the UAE pointing out the problem, along with speculation as to what the cause might be. "Tropospheric ducting, usually during temperature inversions, can cause a cell signal to bounce hundreds of miles further than normal, and since you are in a tall building, there are no obstructions between you and Iran. It's totally possible," wrote a user in the Abu Dhabi Expats group. Another user dropped a link to which shows the parts of the world that are experiencing the most discrepancies with GPS data on smartphones and other devices. While the consequences from GPS spoofing for average smartphone users pale in comparison to the shipping or aviation industry, Mr Hidary said those problems are vast and need to be addressed. "We all use the same airspace," he said. "We all depend on reliable transportation, either for ourselves travelling and/or for cargo to come in, and inherently we're all dependent on a strong navigation system to make that happen."
Khaleej Times
a day ago
- Khaleej Times
Video: Man slams toddler on floor in horrific act, apprehended by authorities
The 31-year-old was seen checking his surroundings as he stood by a child who was holding onto a small suitcase A Belarusian man has been charged after he picked up and slammed an 18-month-old toddler on the floor of Moscow's airport. The 31-year-old was seen checking his surroundings as he stood by a child who was holding onto a small suitcase. The man then picked up and slammed the child headfirst onto the hard floor. A CCTV recording of the incident has been making the rounds online. The video shows the man carrying out the horrific act, after which witnesses move him out of the way and rush to the aid of the child. Media reports say that the man has been arrested by local authorities and admitted to committing the assault, saying that he "attempted to murder" the child. The assailant added that he was under the influence of drugs. Reports also said that the child was fleeing from Iran as the regional conflict was escalating. Here's the CCTV footage that has been going viral online with clips of the man being apprehended. Viewer discretion is advised as visuals may be disturbing:
Zawya
a day ago
- Zawya
S&P 500, Nasdaq hit record highs on renewed AI bets, rate-cut hope
The S&P 500 and Nasdaq Composite hit all-time highs on Friday as megacap stocks surged on renewed AI enthusiasm and the prospect of a looser monetary policy, powering a recovery in U.S. stocks from months-long rout. The benchmark index rose 0.2% to 6,154.81 points, surpassing the previous peak of 6,147.43 on February 19, while the tech-heavy Nasdaq gained 0.3% to 20,229.31 points, exceeding its record high of 20,204.58 on December 16. Markets rallied this week as an upbeat forecast from chipmaker Micron brought back investor confidence around artificial intelligence, while AI bellwether Nvidia hit a record high to reclaim its position as the world's most valuable company. Risk appetite also benefited from a U.S.-brokered ceasefire to a 12-day air battle between Israel and Iran that sparked a jump in crude prices and raised worries of higher inflation. Dovish remarks from Federal Reserve policymakers have also aided sentiment. Trump's April 2 "reciprocal tariffs" on major trading partners and their chaotic rollout had put the S&P 500 within a striking distance of confirming a bear market when it ended down 19% from its February 19 record closing high. The Nasdaq had tumbled 26.7% from its previous peak, marking a bear market days after Trump's "Liberation Day" on April 2. Since then, U.S. trade deals with the UK and China have firmed up market expectations for more such agreements on the hopes that a global recession could be avoided. The S&P 500 has surged more than 23.5% and the Nasdaq about 32% since their recent lowest close on April 8, largely powered by a handful of megacap stocks such as Microsoft, Nvidia, Meta Platforms and Amazon. If the Nasdaq closes above the December 16 record close at 20,173.89, it would be the end of the bear market and start of a new bull market, according to common definitions. A bear market is defined as a 20% decline from a record high close, on a closing basis. Both the Nasdaq and S&P 500 have gained 4.4% this year as of Thursday's close. The blue-chip Dow has risen about 2% this year and remains about 3.7% below its all-time peak. (Reporting by Johann M Cherian and Medha Singh in Bengaluru; Editing by Sriraj Kalluvila and Arun Koyyur)
