A new research published has revealed an Iranian cyber-espionage group, “BladedFeline,” that operated inside Kurdish and Iraqi government networks undetected for nearly a decade. First detected in 2023, BladedFeline has been active since at least 2017, with its campaign targeting high-ranking officials in the Kurdistan Regional Government (KRG) and Iraqi state infrastructure.
The group used a suite of malware tools—chief among them a proprietary backdoor named Shahmaran—to maintain long-term access to infected systems. Shahmaran is a simple but effective 64-bit backdoor executable that avoids detection by using unencrypted communication and deploying via the system’s Startup directory.
Once inside the network, Shahmaran connects to a command-and-control (C&C) server and executes instructions, such as file upload/download, directory manipulation, and information collection. Although the initial entry method remains unclear in KRG cases, the research suspects that the group exploited internet-facing web servers in other attacks, enabling the deployment of malicious web shells.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
Stealth Tactics and Custom Toolsets Indicate APT Maturity
In addition to Shahmaran, ESET documented several other tools used by BladedFeline to maintain stealth and expand access, including:
- PrimeCache: A malicious IIS module acting as a backdoor.
- VideoSRV: A reverse shell previously linked to the Iranian APT group OilRig.
- Whisper: Another backdoor used in select operations.
- PowerShell-based executors and reverse tunnels for lateral movement and persistence.
The campaign, which spans from September 2017 to March 2024, illustrates a methodical and persistent approach to espionage. ESET believes with medium confidence that BladedFeline is a subgroup of OilRig (also known as APT34 or Hazel Sandstorm), citing code similarities and shared toolsets.
According to the researchers, the group’s malware is designed for stealth, often hiding within normal traffic channels and evading traditional network monitoring systems. This makes network behavior baselining and application inventory awareness critical for detecting such covert operations.
Strategic Motives: Iran’s Intelligence Goals in Iraq and Kurdistan
The assessment indicates that BladedFeline’s operations were driven by geopolitical strategy. The Kurdistan region’s oil reserves and diplomatic ties with Western governments make it a valuable target for Iranian surveillance. In Iraq, the goal may be to counterbalance Western influence, particularly in the aftermath of the U.S. military presence.
The long-term access suggests a deep intent to not only gather intelligence but potentially influence or disrupt internal operations. The stealth and sophistication of the implants point toward state-sponsored intelligence gathering, rather than short-term criminal activity or ransomware deployment.
ESET’s findings underscore the necessity for government and enterprise cybersecurity teams—especially those in high-value political or resource-rich regions—to enhance network visibility, monitor application behavior, and apply behavioral analytics to detect anomalies over time.
Espionage Without Alarms
BladedFeline’s nearly decade-long infiltration of critical networks in Iraq and Kurdistan exemplifies a high-stakes cyber espionage campaign driven by long-term strategic interests. The use of proprietary malware, stealthy backdoors, and obscure network paths has allowed the group to persist in its targets without raising alarms.
As threats from state-backed actors grow more complex and difficult to detect, cybersecurity experts are calling for increased cyber situational awareness, behavioral threat detection, and international intelligence sharing to uncover hidden adversaries operating in sensitive digital environments.