Iranian Cyberespionage Targets Iraqi Government Officials

Iranian Cyberespionage Targets Iraqi Government Officials

First seen 13 May 2026, 14:55 UTC research.checkpoint.comwww.welivesecurity.com 74% similarity 75.5

Article Content

Browse articles
ThreatCluster

In 2024, Iranian APT group BladedFeline launched a cyber campaign against Kurdish and Iraqi government officials, utilizing advanced malware tools including the Shahmaran backdoor and the Whisper backdoor. The attacks exploited compromised email accounts for command and control, indicating deep infiltration into the victims' networks. The malware employed unique C2 mechanisms, including DNS tunneling and email-based channels, suggesting connections to APT34. The campaign has been ongoing, with Check Point Research reporting on the use of double-extension files for initial infection. The tools used in this campaign show similarities to those associated with other Iranian threat actors, indicating a coordinated effort. The scope of the impact includes ongoing access to sensitive governmental communications and data. ESET researchers have assessed that BladedFeline is likely a subgroup of the OilRig APT group, which has been active in the region since at least 2017. The current status of the campaign remains active, with continued monitoring required.

Key Points: • BladedFeline, an Iranian APT group, targets Kurdish and Iraqi officials with advanced malware. • The campaign utilizes unique command and control methods, including DNS tunneling and email exploitation. • ESET links BladedFeline to the OilRig APT group, indicating a broader Iranian cyber espionage strategy.

ThreatCluster AI

Timeline

2023-01-01
Discovery of BladedFeline APT group
ESET researchers identified BladedFeline after it targeted Kurdish diplomatic officials with the Shahmaran backdoor.
www.welivesecurity.com
2024-03-01
Initial infection observed
Check Point Research reported infections starting with double-extension files and social engineering tactics targeting Iraqi government.
research.checkpoint.com
2024-05-01
Malware toolset identified
The custom toolset used in the campaign includes the Whisper backdoor and malicious IIS modules, indicating sophisticated capabilities.
www.welivesecurity.com
2024-05-01
C2 mechanisms detailed
The malware employs unique command and control methods, including DNS tunneling and email-based channels.
research.checkpoint.com

Community

Browse all →