BladedFeline
Intelligence Profile
BladedFeline is an Iran-aligned APT group that has been active since at least 2017, targeting Iraqi and Kurdish government officials for cyberespionage. The group employs a variety of tools, including the Shahmaran backdoor, Whisper, and PrimeCache, which is a malicious IIS module. BladedFeline utilizes techniques such as spearphishing (T1566), exploiting public-facing applications (T1190), and timestomping to maintain access and exfiltrate data. The group is assessed with medium confidence to be a subgroup of OilRig, focusing on strategic access to high-ranking officials in the region.
Threat Analysis
BladedFeline is a advanced-sophistication threat actor attributed to Iran, engaged in cyber operations with a primary motivation of espionage.
The group's espionage-oriented operations suggest a state-sponsored or state-aligned mandate, typically focused on stealing intellectual property, government secrets, or military intelligence. Targets are usually selected for strategic value rather than financial gain.
Classified as an advanced threat actor, BladedFeline likely develops or acquires zero-day exploits, employs custom malware toolchains, and demonstrates long-term persistence capabilities — hallmarks of a well-resourced operation consistent with nation-state backing.
Known Campaigns
BladedFeline is a espionage threat actor attributed to Iran. BladedFeline is an Iran-aligned APT group that has been active since at least 2017, targeting Iraqi and Kurdish government officials for cyberespionage. The group employs a variety of tools, including the Shahmaran backdoor, Whisper, and PrimeCache, which is a malicious IIS modul...