Iran-linked hackers target Kurdish and Iraqi officials in long-running cyberespionage campaign

A cyberespionage group with suspected ties to Iran has been targeting Kurdish and Iraqi government officials in a years-long cyber espionage campaign, according to a new report.

Researchers at the Slovak-based cybersecurity firm ESET attributed the activity to a threat actor dubbed BladedFeline, believed to be a subgroup of OilRig, a well-documented Iranian state-backed actor active since at least 2014.

According to ESET, BladedFeline has been operating since at least 2017, initially breaching systems belonging to the Kurdistan Regional Government (KRG). Since then, the hackers have continued to evolve their toolkit and expand their reach, targeting both the KRG and the central government of Iraq, as well as a telecommunications provider in Uzbekistan.

The group first came to ESET’s attention in 2023, when it deployed a simple backdoor known as Shahmaran against Kurdish diplomatic officials. The malware allowed remote attackers to upload and download files and execute commands on compromised devices.

Since then, ESET has identified two additional malicious tools linked to the group: Whisper and PrimeCache. Whisper communicates with attackers through email attachments sent via compromised Microsoft Exchange webmail accounts, while PrimeCache bears similarities to RDAT, a backdoor previously associated with OilRig.

While ESET could not confirm the initial intrusion vector in all cases, researchers believe BladedFeline may have gained access to Iraqi government systems by exploiting vulnerabilities in internet-facing servers, using a webshell called Flog to maintain control.

ESET warned that the group is likely to continue developing its malware arsenal to retain access to compromised systems for cyberespionage purposes.

“The KRG’s diplomatic relationship with Western nations, coupled with the oil reserves in the Kurdistan region, makes it an enticing target for Iran-aligned threat actors to spy on and potentially manipulate,” researchers said. 

“In Iraq, these threat actors are most probably trying to counter the influence of Western governments following the US invasion and occupation of the country.”

OilRig — also tracked as APT34 or Hazel Sandstorm — has previously targeted entities in the chemical, energy, finance, and telecom sectors across the Middle East. The group is known for using compromised organizations to conduct supply chain attacks on other government entities.

Last year, researchers warned that OilRig stepped up its attacks against government agencies in the United Arab Emirates (UAE) and the broader Persian Gulf region, underscoring their “ongoing commitment” to exploiting vulnerabilities within critical infrastructure and government networks in geopolitically sensitive areas.