Back

Iranian Cyberespionage Targets Iraqi Government Officials

Severity: High (Score: 75.5)

Sources: www.welivesecurity.com, research.checkpoint.com

Summary

In 2024, Iranian APT group BladedFeline launched a cyber campaign against Kurdish and Iraqi government officials, utilizing advanced malware tools including the Shahmaran backdoor and the Whisper backdoor. The attacks exploited compromised email accounts for command and control, indicating deep infiltration into the victims' networks. The malware employed unique C2 mechanisms, including DNS tunneling and email-based channels, suggesting connections to APT34. The campaign has been ongoing, with Check Point Research reporting on the use of double-extension files for initial infection. The tools used in this campaign show similarities to those associated with other Iranian threat actors, indicating a coordinated effort. The scope of the impact includes ongoing access to sensitive governmental communications and data. ESET researchers have assessed that BladedFeline is likely a subgroup of the OilRig APT group, which has been active in the region since at least 2017. The current status of the campaign remains active, with continued monitoring required. Key Points: • BladedFeline, an Iranian APT group, targets Kurdish and Iraqi officials with advanced malware. • The campaign utilizes unique command and control methods, including DNS tunneling and email exploitation. • ESET links BladedFeline to the OilRig APT group, indicating a broader Iranian cyber espionage strategy.

Key Entities

  • Apt34 (apt_group)
  • BladedFeline (apt_group)
  • Europium (apt_group)
  • Hazel Sandstorm (apt_group)
  • Hexane (apt_group)
  • Malware (attack_type)
  • DNSpionage (campaign)
  • HardPass (campaign)
  • MrPerfectionManager (campaign)
  • PowerExchange (campaign)
  • Government Of Iraq (company)
  • Iraqi Government (company)
  • Mango (company)
  • Bahrain (country)
  • Iran (country)
  • Iraq (country)
  • Israel (country)
  • Lebanon (country)
  • agent.bi (domain)
  • dropper.agent.gi (domain)
  • gov-iq.net (domain)
  • tiny.gl (domain)
  • Chemical (industry)
  • Energy (industry)
  • Government (industry)
  • Healthcare (industry)
  • Telecommunications (industry)
  • CacheHttp (malware)
  • Flog (malware)
  • GreenBug (malware)
  • Hawking Listener (malware)
  • Karkoff (malware)
  • 4CC88CE123B0DA8D75C0FE66A39339F6 (md5)
  • T1021.004 - SSH (mitre_attack)
  • T1036 - Masquerading (mitre_attack)
  • T1059.001 - PowerShell (mitre_attack)
  • T1071.003 - Mail Protocols (mitre_attack)
  • T1071.004 - DNS (mitre_attack)
  • IIS (platform)
  • Microsoft Exchange (platform)
  • Windows (platform)
  • 562E1678EC8FDC1D83A3F73EB511A6DDA08F3B3D (sha1)
  • BE0AD25B7B48347984908175404996531CFD74B7 (sha1)
  • PowerShell (tool)
  • PyInstaller (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed