{
  "name": "BladedFeline: Whispering in the dark",
  "slug": "bladedfeline-whispering-in-the-dark",
  "description": "ESET researchers have uncovered a cyberespionage campaign conducted by BladedFeline, an Iran-aligned APT group likely tied to OilRig. The group has been targeting Kurdish and Iraqi government officials since at least 2017, using various malicious tools including reverse tunnels, backdoors, and a malicious IIS module. Key malware includes the Whisper backdoor, which communicates via compromised email accounts, and PrimeCache, a malicious IIS module with similarities to OilRig's RDAT backdoor. The campaign also targeted a telecommunications provider in Uzbekistan. BladedFeline's sophisticated tactics and tools indicate a focus on maintaining strategic access to high-ranking officials for espionage purposes.",
  "published": "2025-06-06T09:02:56+00:00",
  "created_at": "2025-06-06T09:02:56+00:00",
  "modified_at": "2025-06-08T14:53:11+00:00",
  "created_at_opencti": "2025-06-06T09:02:56+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-06-06",
    "apt",
    "backdoor",
    "iis malware",
    "oilrig",
    "shahmaran",
    "slippery snakelet",
    "whisper"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "dropper.agent.gi"
      },
      {
        "id": "",
        "name": "zaincell.store"
      },
      {
        "id": "",
        "name": "olinpa.com"
      }
    ],
    "intrusion_sets": [
      {
        "id": "49677cfe-245d-4770-a3dc-2331631dc3f4",
        "name": "BladedFeline",
        "slug": "bladedfeline"
      }
    ],
    "attack_patterns": [
      {
        "id": "415f839d-5ae7-41fb-92c3-090f3226055d",
        "name": "T1586.002"
      },
      {
        "id": "d19f56ca-5ce8-4bd1-af90-7d83e394470c",
        "name": "T1583.001"
      },
      {
        "id": "1eef7f88-3992-4add-899e-a7cc9fcdd5b3",
        "name": "T1569.002"
      },
      {
        "id": "7671fe3e-6a85-463e-928d-16117d2f4f9b",
        "name": "T1059.006"
      },
      {
        "id": "14660ccf-ca6b-42f6-8bca-e1b7a04650b3",
        "name": "T1573.001"
      },
      {
        "id": "1e043fe4-2413-4b8e-887c-0fe45d095a24",
        "name": "T1583"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2",
        "name": "T1059.007"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "eaff4611-3c78-4127-8745-726f77ed68ba",
        "name": "T1070.004"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
        "name": "T1041"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "9f11a241-9abc-4c57-95dd-33955ab08826",
        "name": "T1078"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Telecommunications"
      },
      {
        "id": "",
        "name": "Government"
      },
      {
        "id": "",
        "name": "domain.computer"
      }
    ]
  },
  "external_refs": [
    "https://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/#iocs",
    "https://otx.alienvault.com/pulse/6842cae058bebf5552345481"
  ]
}