BladedFeline Exploits Whisper and PrimeCache to Breach IIS and Microsoft Exchange Servers

ESET researchers have uncovered a series of malicious tools deployed by BladedFeline, an Iran-aligned advanced persistent threat (APT) group, targeting Kurdish and Iraqi government officials.

Active since at least 2017, BladedFeline has been linked with medium confidence to the notorious OilRig APT group, known for cyberespionage across the Middle East.

Sophisticated Cyberespionage Campaign

The group’s latest arsenal, discovered in 2024, includes the Whisper backdoor and the PrimeCache malicious IIS module, which exploit Microsoft Exchange servers and Internet Information Services (IIS) to maintain persistent access to compromised systems.

This campaign not only highlights BladedFeline’s evolving technical prowess but also underscores the strategic importance of their targets, including the Kurdistan Regional Government (KRG), Iraqi government officials, and a telecommunications provider in Uzbekistan.

Delving into the technical underpinnings, the Whisper backdoor operates by infiltrating Microsoft Exchange servers through compromised webmail accounts, using email attachments as a ...