The Iranian burglary group was associated with a new set of cyber napades aimed at Kurdish and Iraqi government officials in early 2024.
Activities related to a group of threats ESET is tracked as A flying lineevaluated with medium confidence to be a subclaming inside OvalFamous Iranian National Cyber Affairs. It is said to have been working since September 2017 when it is aimed at officials related to the Kurdistan regional government (KRG).
“This group develops malware to maintain and expand access in Iraq and KRG organizations,” Slovak cybersecurity campaign – Note In a technical report that is shared with Hacker News.
“Bladedfeline has consistently worked on maintaining illegal access to Kurdish diplomatic officials while using the regional telecommunications provider in Uzbekistan, as well as developing and maintaining access to Iraq’s government.”
Bladedfeline was First documented With the help of ESET in May 2024, as part of the APT Q4 2023 – Q1 2024 activity report, which details the enemy’s attack on the state organization from Kurdistan Iraq and its orientation to the Uzbek telecommunications supplier, which may have been compromised as early as May 2022.
The group was discovered in 2023 after the attacks aimed at the Kurdish diplomatic officials with chess, a simple reversing that checks the removed server, and performs any commands provided by the operator, on the infected hoste to download or download files, ask specific files, and provide file and manipulation.
Then last November firm on cybersecurity – Note It has a hacking that organizes attacks on Iran’s neighbors, in particular regional and state entities in Iraq, and diplomatic messengers from Iraq to different countries, using custom accusations such as whispers (aka veaty), Spiral and Optimizer.
“Bladedfeline has invested great funds in the collection of diplomatic and financial information from Iraqi organizations, which indicates that Iraq plays a big role for the strategic purposes of the Iranian government,” ESET said in November 2024.
While the accurate vector of initial access used to get into the victims of the CRG, it is unclear that the threat subjects were likely to have used vulnerability in the Internet application to invade Iraqi state networks and deploy the flogo to maintain permanent remote access.
 |
| Interior whisper |
The wide range of the back emphasizes Bladedfeline’s commitment to clarifying the arsenal malware. The whisper is C#/. The pure back, which is included in the compromised Webmail account on the Microsoft Exchange server and uses it to communicate with the attackers via email attachments. Spiral-it’s .net Backdoor that uses DNS tunnel to communicate command and control.
Selected attacks observed in December 2023 also provided for the deployment of Python implant, called slippery snake that comes with limited capabilities to execute commands through “cmd.exe”, download files from external URL and download files.
Although Bladedfeline is characteristic of using different Laret and Pinar tunne tools to maintain access to target networks. Except Rdat The back of the used Oilrig Apt.
Passive back, Primecache works, monitor the http input requests that match the pre -defined header structure to handle the commands issued by Faitherser and Exfiltrate.
It was this aspect combined with the fact that the two Oilrig instruments – RDAT and the Codonomene Program Reverse – were found in the compromised KRG system in September 2017 and January 2018 Lyceum -Myadnik designed for another subclass.
Oilrig connection is also intensified Prior to the report in September 2024 from the Check Point, which pointed to the Iranian hacking group for penetration into the Iraqi state networks and infecting them with whispers and contagious, using the likely social engineering efforts.
ESET stated that he had determined a malicious artifact named Hawking’s listener, which was loaded on a viral platform in March 2024. The same party that loaded the flew. The Hawking listener is the implant at an early stage that listens to the set portes to launch teams via “cmd.exe”.
“Bladedfeline focuses on KRG and Goi for cyber-spying purposes, taking into account the maintenance of strategic access to high-ranking officials in both state organizations,” the company concluded.
“Diplomatic relations of the CRG with Western countries combined with oil reserves in the Kurdistan region make it an attractive purpose for Iran’s threats to Iran, spying on spy and potentially manipulated.
