{ "id": "0bd91bd6-cc58-4d6a-8bc6-6bcca97cc65d", "created_at": "2026-04-06T00:18:11.762089Z", "updated_at": "2026-04-10T13:12:47.086254Z", "deleted_at": null, "sha1_hash": "e93801d881b30930f09b885a17eb3462d1d3f099", "title": "BladedFeline: Whispering in the dark", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1044023, "plain_text": "BladedFeline: Whispering in the dark\r\nBy ESET Research\r\nArchived: 2026-04-05 15:09:19 UTC\r\nIn 2024, ESET researchers discovered several malicious tools in the systems used by Kurdish and Iraqi government\r\nofficials. The APT group behind the attacks is BladedFeline, an Iranian threat actor that has been active since at least\r\n2017, when it compromised officials within the Kurdistan Regional Government (KRG). This group develops malware\r\nfor maintaining and expanding access within organizations in Iraq and the KRG. While this is our first blogpost covering\r\nBladedFeline, we discovered the group in 2023, after it targeted Kurdish diplomatic officials with the Shahmaran\r\nbackdoor, and previously reported on its activities in ESET APT Activity reports Q4 2023-Q1 2024 and Q2 2024-Q3\r\n2024.\r\nThe array of tools utilized in the recent campaign shows that since deploying Shahmaran, BladedFeline has continued to\r\ndevelop its arsenal. We found two reverse tunnels, a variety of supplementary tools, and most notably, a backdoor that we\r\nnamed Whisper and a malicious IIS module we dubbed PrimeCache. Whisper is a backdoor that logs into a compromised\r\nwebmail account on a Microsoft Exchange server and uses it to communicate with the attackers via email attachments.\r\nPrimeCache also serves as a backdoor: it is a malicious IIS module related to what we referred to as Group 2 in our 2021\r\npaper Anatomy of native IIS malware. Significantly, PrimeCache also bears similarities to the RDAT backdoor used by\r\nthe Iran-aligned OilRig APT group.\r\nBased on these code similarities, as well as on further evidence presented in this blogpost, we assess with medium\r\nconfidence that BladedFeline is a subgroup of OilRig, an Iran-aligned APT group going after governments and businesses\r\nin the Middle East. We have previously reported on other activity linked to OilRig. To avoid confusion, we have since\r\nrefined our OilRig tracking, and we now track both of those operations under a separate subgroup – Lyceum – within\r\nOilRig.\r\nBladedFeline has worked consistently to maintain illicit access to Kurdish diplomatic officials, while simultaneously\r\nexploiting a regional telecommunications provider in Uzbekistan, and developing and maintaining access to officials in\r\nthe government of Iraq. This blogpost details the technical aspects of the initial implants delivered to BladedFeline’s\r\ntargets, the links between the victims, and lays the groundwork for associating this subgroup with OilRig.\r\nKey points of the blogpost:\r\nBladedFeline compromised officials within the Kurdistan Regional Government at least as early as\r\n2017.\r\nThe initial implants used there can be traced back to OilRig.\r\nWe discovered BladedFeline after its operators compromised Kurdish diplomatic officials with the\r\ngroup’s Shahmaran signature backdoor in 2023.\r\nThis APT group has also infiltrated high-ranking officials within the government of Iraq.\r\nWe assess with medium confidence that BladedFeline is a subgroup within OilRig.\r\nWe analyze two reverse tunnels (Laret and Pinar), a backdoor (Whisper), a malicious IIS module\r\n(PrimeCache), and various supplementary tools.\r\nBladedFeline overview\r\nhttps://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/\r\nPage 1 of 21\n\nBladedFeline is an Iran-aligned cyberespionage group, active since at least 2017 according to ESET telemetry. We\r\ndiscovered the group in 2023 when it deployed its Shahmaran backdoor against Kurdish diplomatic officials. Shahmaran,\r\nnamed after a mythical half-snake, half-woman creature from Iranian folklore, is a 64-bit portable executable that we\r\nfound in the target’s Startup directory. This simple backdoor doesn’t use any compression or encryption for network\r\ncommunications. After checking in with the C\u0026C server, the backdoor executes any operator commands provided, which\r\ninclude uploading and downloading additional files, requesting specific file attributes and providing file and directory\r\nmanipulation API.\r\nAs evidenced by the campaign toolset we describe in this blogpost; since deploying Shahmaran, BladedFeline has\r\ncontinued to develop its malware in order to retain and even further extend its access to the KRG and to high levels\r\nwithin the government of Iraq (GOI). We uncovered the campaign in 2024 after finding BladedFeline’s Whisper\r\nbackdoor, PrimeCache IIS backdoor, and a set of post-compromise tools in the networks of Kurdish diplomatic officials,\r\nIraqi government officials, and a regional telecommunications provider in Uzbekistan.\r\nWe detected and collected one version of Whisper and found another on VirusTotal, uploaded by a user in Iraq. They are\r\nvirtually identical, and we were able to determine the likely identity of the VirusTotal uploader, based on data in the\r\nWhisper sample and other samples uploaded under the same submitter ID. PrimeCache, Flog (a webshell), and Hawking\r\nListener (an early-stage implant that listens on a specified port) were all uploaded to VirusTotal by the same submitter ID\r\nwho uploaded the Whisper samples. Based on the Whisper link and the close timeframe (both were uploaded within a\r\nmatter of minutes) we believe it was deployed by BladedFeline to a victim in Iraq’s government. Some of the tools\r\nmentioned below in the Timeline are discussed later in the report (e.g., Slippery Snakelet).\r\nTimeline\r\n2017-09-21 ● VideoSRV reverse shell on KRG system\r\n |\r\n2018-01-30 ● RDAT backdoor on KRG system\r\n |\r\n2019-07-09 ● Custom Plink on KRG system\r\n |\r\n2021-05-01 ● Sheep Tunneler on KRG system\r\n |\r\n2023-01-23 ● LSASS dumped on KRG system\r\n |\r\n2023-02-01 ● Shahmaran backdoor on KRG system\r\n |\r\n2023-03-25 ● First victim targeted at a telecommunications company in Uzbekistan\r\n |\r\n2023-06-12 ● Shahmaran version 2 on KRG system for access maintenance\r\n |\r\n2023-12-14 ● BladedFeline operators executing CLI commands on KRG system\r\n |\r\n2023-12-16 ● Slippery Snakelet backdoor on KRG system\r\n |\r\n2023-12-20 ● P.S. Olala (a PowerShell executor) on KRG system\r\n |\r\n2023-12-20 ● PsExec on KRG system\r\n |\r\nhttps://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/\r\nPage 2 of 21\n\n2024-01-07 ● Whisper backdoor on KRG system\r\n |\r\n2024-02-01 ● Laret reverse tunnel on KRG system\r\n |\r\n2024-02-20 ● Pinar reverse tunnel on KRG system\r\n |\r\n2024-02-29 ● PrimeCache malicious IIS module uploaded to VirusTotal\r\n |\r\n2024-03-11 ● Whisper version 2, Flog, and Hawking Listener uploaded to VirusTotal\r\nAttribution\r\nOur attribution of this campaign to BladedFeline is based on the following:\r\nThe campaign targets members of the KRG, as have previous attacks conducted by BladedFeline.\r\nThe original attack activity targeting the KRG organization allowed us to identify successive malware, as\r\nBladedFeline has attempted to maintain and expand access to the organization.\r\nFurther analysis of the attacks led us to identify the telecommunications victim in Uzbekistan.\r\nAt the same time, looking into the Whisper backdoor helped us identify the GOI victim.\r\nWe assess that BladedFeline is targeting the KRG and the GOI for cyberespionage purposes, with an eye toward\r\nmaintaining strategic access to high-ranking officials in both governmental entities. The KRG’s diplomatic relationship\r\nwith Western nations, coupled with the oil reserves in the Kurdistan region, makes it an enticing target for Iran-aligned\r\nthreat actors to spy on and potentially manipulate. In Iraq, these threat actors are most probably trying to counter the\r\ninfluence of Western governments following the US invasion and occupation of the country.\r\nWe believe with medium confidence that BladedFeline is a subgroup of OilRig:\r\nAs does OilRig, BladedFeline targets organizations in the Middle East with the purpose of cyberespionage.\r\nWe have found OilRig tools (VideoSRV and RDAT) in a compromised KRG system.\r\nBladedFeline’s malicious IIS module PrimeCache shares code similarities with OilRig’s RDAT.\r\nBladedFeline is not the only subgroup of OilRig that we are monitoring: we have already been tracking Lyceum, also\r\nknown as HEXANE or Storm-0133, as another OilRig subgroup. Lyceum focuses on targeting various Israeli\r\norganizations, including governmental and local governmental entities and organizations in healthcare. Major tools we\r\nattribute to Lyceum include DanBot, the Shark, Milan, and Marlin backdoors, Solar and Mango, OilForceGTX, and a\r\nvariety of downloaders using legitimate cloud services for C\u0026C communication.\r\nWe will continue to use the name OilRig to refer to the parent group, also known as APT34 or Hazel Sandstorm (formerly\r\nEUROPIUM). OilRig is a cyberespionage group that has been active since at least 2014 and is commonly believed to be\r\nbased in Iran. The group targets Middle Eastern governments and a variety of business verticals, including chemical,\r\nenergy, finance, and telecommunications. Notable OilRig campaigns include the 2018 and 2019 DNSpionage campaign,\r\ntargeting victims in Lebanon and the United Arab Emirates; the 2019–2020 HardPass campaign, using LinkedIn to target\r\nMiddle Eastern victims in the energy and government sectors; the 2020 attack against a telecommunications organization\r\nin the Middle East using the RDAT backdoor; and the 2023 attacks targeting organizations in the Middle East with the\r\nPowerExchange and MrPerfectionManager backdoors.\r\nOilRig tools used by BladedFeline\r\nhttps://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/\r\nPage 3 of 21\n\nWe have found two OilRig tools on the KRG machines compromised by BladedFeline.\r\nRDAT\r\nWe discovered a previously unreported version of the OilRig backdoor RDAT on two KRG victim systems. Analyzing\r\nRDAT, we found that the operational flow (see Unit 42’s report for specifics), compilation timestamp (2017-12-26\r\n10:49:35), and file write time (2018-01-30) align with OilRig activity and targeting, particularly with regard to the\r\ngroup’s 2017 activity. We observed a file with an SHA-1 of 562E1678EC8FDC1D83A3F73EB511A6DDA08F3B3D and\r\na path of C:\\Windows\\System32\\LogonUl.exe on both systems. The PDB path also corroborates that this binary is RDAT:\r\nC:\\Users\\Void\\Desktop\\RDAT\\client\\x64\\Release\\client.pdb. To date, we have only ever observed RDAT in use by\r\nOilRig. Moreover, we have not seen any custom implant sharing between OilRig and other Middle Eastern groups, and it\r\nseldom occurs between Iran-aligned threat actors.\r\nFurther bolstering the case that BladedFeline is an OilRig subgroup, as with Lyceum, is the analysis linking RDAT with\r\nPrimeCache, a malicious IIS module that was uploaded to VirusTotal presumably by the GOI victim. This link is explored\r\nin more depth in the Links with OilRig section of the blogpost.\r\nVideoSRV\r\nOne additional data point on the OilRig and BladedFeline connection is a reverse shell deployed to one of the KRG\r\nvictims (September 21st, 2017) prior to RDAT getting dropped on the same system (January 30th, 2018). VideoSRV\r\n(SHA-1: BE0AD25B7B48347984908175404996531CFD74B7), so named for its filename videosrv.exe, has the PDB\r\nstring C:\\Users\\v0id\\Desktop\\reverseShell\\clientProxy\\x64\\Release\\ConsoleApplication1.pdb, which bears some\r\nsimilarities to the RDAT PDB string C:\\Users\\Void\\Desktop\\RDAT\\client\\x64\\Release\\client.pdb.\r\nTechnical analysis\r\nInitial access\r\nIt is still unclear how BladedFeline is developing access to its victims. What we know is that in the case of the KRG\r\nvictims, the threat actors obtained access at least as far back as 2017 and have maintained it ever since. As for the GOI\r\nvictims, we suspect that the group exploited a vulnerability in an application on an internet-facing web server, which\r\nallowed them to deploy the Flog webshell.\r\nToolset\r\nPrimeCache – malicious IIS module\r\nPrimeCache, whose name we derived from the RTTI AVRSAPrimeSelector and its filename (cachehttp.dll), is a passive\r\nbackdoor implemented as a native IIS module with an internal name of HttpModule.dll. It was uploaded to VirusTotal by\r\nthe same user who uploaded one of the Whisper backdoor samples. It is a 64-bit C++ DLL with a compilation timestamp\r\nof 2023-05-14 06:55:52 and has a minimized PDB string of just HttpModule.pdb. It has a single export: RegisterModule.\r\nPrimeCache is a successor to a collection of unattributed IIS backdoors that we have previously reported as Group 2\r\n(simple IIS backdoors) in our 2021 blogpost, Anatomy of native IIS malware. We obtained those original samples from\r\nVirusTotal where they were uploaded by users from Bahrain, Israel, and Pakistan, between 2018 and 2020. Based solely\r\nhttps://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/\r\nPage 4 of 21\n\non the location of the presumed victims, it is possible that those cases were also related to BladedFeline – or, more\r\nbroadly, OilRig – activities.\r\nMain functionality\r\nPrimeCache’s main functionality is implemented in the CGlobalModule::OnGlobalPreBeginRequest handler. This is a\r\nunique implementation, differing from its predecessors, which used the CHttpModule::OnBeginRequest handler.\r\nPrimeCache filters incoming HTTP requests, only processing those from the BladedFeline operators, which are\r\nrecognized by having a cookie header with the structure:\r\nF=\u003ccommand_ID\u003e,\u003cparam\u003e;\r\nNote that this value can be standalone or embedded into a longer cookie, surrounded by semicolon (;) characters.\r\nThe backdoor works in an unusual way (new with this version as compared with our 2021 analysis). Rather than\r\naccepting a backdoor command and all its parameters within a single HTTP request, each action is split into multiple\r\nrequests. First, the BladedFeline operator sends an individual request for each single parameter; these parameters are\r\nstored in a global structure. Then the operator sends another request to trigger the backdoor command. Finally,\r\nPrimeCache uses the previously received parameters to execute the specified action, and then clears the cached\r\nparameters.\r\nOperator commands\r\nThere are three types of requests that can be received by the backdoor, as shown in Table 1.\r\nTable 1. PrimeCache operator commands\r\n\u003ccommand_ID\u003e Parameter Description\r\n1\r\nFormat: \u003ckey\u003e=\r\n\u003cvalue\u003e\r\nClears the list of previously stored parameters and adds the new value.\r\nMost parameters are encrypted; see Encryption below.\r\n0 Not used.\r\nTriggers the backdoor action, using previously transmitted backdoor\r\nparameters.\r\nOther\r\nFormat: \u003ckey\u003e=\r\n\u003cvalue\u003e\r\nAdds the specified value to the list of stored parameters (doesn’t clear the\r\nlist). Most parameters are encrypted; see Encryption below.\r\nOnce the action is triggered (via \u003ccommand_ID\u003e=0), PrimeCache performs an action, based on the previously obtained\r\nparameters, as shown in Table 2. One note on the chart below:\r\nThe PrimeCache action is operator command (OpCom) a, the session key is OpCom k, binary data is OpCom b, and the\r\nfilename is OpCom f.\r\nTable 2. PrimeCache post-operator command actions\r\nhttps://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/\r\nPage 5 of 21\n\nPrimeCache\r\naction\r\nSession key\r\nBinary\r\ndata\r\nFilename Command description\r\nReturn\r\nvalue\r\nr\r\nRSA-encrypted\r\nsession key\r\nAES-encrypted\r\ncommand\r\nline\r\nNull\r\nRuns the specified command via\r\npopen.\r\nCommand\r\noutput\r\nr2\r\nRuns the specified command via\r\nCreateProcessW.\r\nr3\r\n(Presumably) runs the specified\r\ncommand by sending it to another\r\n(unknown) process via the named pipe\r\n\\\\.\\pipe\\iis, then reads (presumably)\r\nthe command output from the same\r\npipe.\r\nu\r\nAES-encrypted\r\nfile content Local\r\nfilename\r\nCreates a local file with the specified\r\nname and content.\r\nOK\r\nd Null\r\nExfiltrates the given file from the\r\ncompromised IIS server.\r\nFile\r\ncontent\r\nEncryption\r\nSimilar to its predecessors, PrimeCache uses both RSA and AES-CBC for its C\u0026C communication. The parameters and\r\nthe return values are always AES-CBC encrypted using the session key, then base64 encoded. The session key is RSA\r\nencrypted; the backdoor has a hardcoded private and public RSA key (not a pair) to handle both directions of the\r\ncommunication.\r\nA statically linked Crypto++ library is used to handle the encryption and decryption operations.\r\nC\u0026C communications\r\nOperator commands are transmitted in the cookie header (another deviation from earlier versions, which used the URL or\r\nthe HTTP request body). PrimeCache responses are added to the HTTP response body. If a file is being exfiltrated, the\r\nContent-Type header is set to attachment, matching the functionality of the previous versions.\r\nThe PrimeCache predecessors also used the same encryption scheme, and similar parameter names (a, c, f, k), but all were\r\nsent to the backdoor in a single request. The only supported commands were r, u, and d.\r\nLinks with OilRig\r\nWhen we compare PrimeCache with RDAT, as described in the RDAT attribution subsection, we see several similarities\r\nthat support our supposition that BladedFeline is a subgroup of OilRig.\r\nBoth RDAT and PrimeCache use the Crypto++ library, and both parse the backdoor commands using the regular\r\nexpression [^,]+.\r\nhttps://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/\r\nPage 6 of 21\n\nThe payload attempts to parse the decrypted cleartext using the regular expression [^,]+ to get the command\r\nvalue and the command arguments that are split with a comma.\r\nBoth share a function, shown in Figure 1, that executes a shell command and reads the output, which, across our\r\ncorpus, is found only in these two pieces of malware.\r\nFigure 1. A unique function to execute a shell command, shared between RDAT (left) and PrimeCache\r\nbackdoors (right)\r\nWhisper backdoor\r\nWhisper is a 32-bit Windows binary written in C#/.NET, named after its PDB strings\r\nG:\\csharp\\Whisper_Trojan_winform\\Whisper_Trojan_winform\\Whisper_Trojan_winform\\obj\\Release\\Veaty.pdb and\r\nZ:\\csharp\\Whisper_Trojan_winform_for_release\\Whisper_Trojan_winform\\Whisper_Trojan_winform\\obj\\Release\\Veaty.pdb.\r\nIt uses a Microsoft Exchange server to communicate with the attackers by sending email attachments via a compromised\r\nwebmail account. We have seen two versions of the backdoor: we detected and collected one version, and was uploaded\r\nto VirusTotal from Iraq. These samples are virtually identical, but we were able to determine the likely identity of the\r\nVirusTotal uploader based on data in the Whisper sample and other samples uploaded by that user.\r\nBoth these versions of Whisper have timestomped compilation timestamps (2090-04-11 23:38:14 and 2080-12-11\r\n03:50:47). They are built using Costura, presumably to ensure that the victim’s system uses the DLLs packaged with the\r\nbinary and not DLLs in the Global Assembly Cache.\r\nWhisper’s operation is not the first time we have observed an OilRig subgroup using cloud services for its C\u0026C protocol.\r\nWhile, unlike with Whisper, there were no emails actually being sent, Lyceum used email drafts for communication\r\nbetween its malware and operators throughout 2022, as we described in a previous blogpost.\r\nOperational workflow\r\nWhisper does not require or accept any arguments. Instead, its dropper – which we dubbed Whisper Protocol after its\r\nfilename, Protocol.pdf.exe – writes its configuration file to disk alongside it (see the Whisper Protocol section). The\r\nconfig file, shown in Figure 2, is in XML format with its key and value strings base64 encoded. It is called by the Specs\r\nclass of Whisper, which uses a function – DelockItems – to base64 decode the config variables.\r\nhttps://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/\r\nPage 7 of 21\n\nFigure 2. Whisper configuration file with its base64-encoded elements (left) and decoded (right)\r\nFigure 3 shows the operational flow of Whisper, which we detail in the following paragraphs.\r\nFigure 3. Basic operational flow of Whisper\r\nWhisper’s operational flow can be broken down into seven steps:\r\nIn Step 1, Whisper uses the credentials from the config file (line 15 in Figure 2) and the Microsoft Exchange Web\r\nServices class ExchangeService to attempt to log into compromised webmail accounts. Once Whisper successfully logs\r\ninto an account, it saves the credentials in memory and writes the following to the log file\r\nc:\\Windows\\Temp\\WindowsEventLogs.txt:\r\nhttps://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/\r\nPage 8 of 21\n\n------------ ItemContext is set: username [\u003cusername\u003e] , use_defaultCred: [credentials\u003e]\r\nIf no credentials in the config file are valid, Whisper logs the following error messages to the log file:\r\n---------------------------------- there was No Way to access any MailBox.\r\n__________ Extraction function is called.\r\nIf an unexpected error is caught, Whisper writes the following to the log file (note the misspelling of the word happened,\r\nindicative of a non-native English speaker) and exits using the Environment.Exit(Int32) method. Strangely, the exitCode\r\nused, 0, indicates that the process completed successfully.\r\n----------------------------------__ an unknown Exception happend. program turned off\r\nNext, in Step 2, Whisper uses the credentials from the previous step to check for inbox rules using the\r\nExchangeService.GetInboxRules method (which [r]etrieves a collection of Inbox rules that are associated with the\r\nspecified user). Using the value in line 13 of the configuration file (key=\"receive_sign\", value=\"PMO\"), Whisper iterates\r\nover the inbox rules looking for that value to be specified in one of three places: subject, body, or subjectorbody and for\r\nemails matching that value to be sent to a specified location (deleteditems or inbox, depending on the version of\r\nWhisper). If the inbox has such a rule, Whisper goes to the next step; otherwise, Whisper creates a rule with the given\r\nparameters:\r\nRule name: MicosoftDefaultRules.\r\nMove to folder: deleteditems or inbox.\r\nOne version of Whisper specifies the deleteditems folder; the other points to the inbox. Both are hardcoded\r\nin the separate binaries.\r\nMark as read: true.\r\nCondition: subject contains PMO.\r\nThe location to look for the string, subject, is hardcoded in both versions of Whisper. The string to look for,\r\nPMO, is in the configuration file used by Whisper; we were unable to collect the other configuration file.\r\nIn Step 3, Whisper initiates a never-ending do loop that sends a check-in email message from the compromised email\r\naccount in Step 1 to an email address specified in the configuration file (line 16, key=\"alive_mail\"). The check-in\r\nmessage is sent every 10 hours (line 10 in the configuration file, key=\"al_time\"; in minutes), the subject (line 17,\r\nkey=\"alive_msg_subj\") is Content, and the message body contains the string defined below:\r\n\"Content ID: \" + base64_encode(\"COMPUTERNAME:USERDNSDOMAIN:USERNAME\")\r\nNext, in Step 4, Whisper fetches operator commands. It does so by searching the inbox identified in Step 1 for files in a\r\ngiven folder (deleteditems or inbox, depending on the version of Whisper) with attachments where the subject matches a\r\nstring (supplied in the configuration file; PMO in the only configuration file we collected). For matching emails with\r\nattachments, Whisper scrapes the attachment body (which should contain encrypted commands) and stores the sender’s\r\nemail address for use later as the C\u0026C server to which operator command results are uploaded.\r\nIn Step 5, Whisper decrypts the operator commands. It does so by first base64 decoding the string containing the\r\ncommand and then decrypting the result using the .NET AES class with a 16-byte initialization vector and the encryption\r\nkey found in the configuration file (line 18, key=\"enc_key\"\r\nvalue=\"cXdlcmFzZHp4Y3ZmZ2d0aGhsZGZvZ2g/bHZtZ2xrZyE=\"). Decrypted commands are in the form of\r\nhttps://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/\r\nPage 9 of 21\n\n\u003ccmd_id\u003e;\u003ccommand_to_execute\u003e. The command ID, commands, and command output are saved in the following\r\nformat:\r\nbase64-encoded(\u003ccommand_id\u003e: \u003ccmd_id\u003e\\n\u003ccmd_output\u003e\\n)\r\nThen, in Step 6, Whisper executes the backdoor commands and records the results. Possible commands include:\r\nWrite a file to disk\r\nThe data written to disk is:\r\nthis is my file content\r\n\u003cfilepath\u003e\r\n\u003cfilename\u003e\r\n\u003cnbytes-to-write\u003e\r\nThe bytes to write are base64 encoded (and decoded before writing to disk). Successful execution returns:\r\nfile received properly. wrote to: \u003cfilepath\u003e\\\u003cfilename\u003e\r\nSend a file to the C\u0026C server\r\nThis command is prefixed with this is my required file path followed by \\n\u003cunknown_variable\u003e\\n\u003cfilepath\u003e\\\u003cfilename\u003e.\r\nWhisper reads the contents of the file into memory, base64 encodes them, and returns:\r\nthis is my required file \u003cpath\u003e\\n\u003cunknown_variable\u003e\\n\u003cfilename\u003e\\n\u003cbase64_encoded_file_contents\u003e\r\nExecute a PowerShell script\r\nThis command does not have a prefix and instead only contains a plaintext command that PowerShell is capable of\r\nexecuting, postfixed with a pipe after which Whisper appends Out-String. Output is saved in this form:\r\nbase64-encoded(\u003ccommand_id\u003e: \u003ccmd_id\u003e\\n\u003ccmd_output\u003e\\n)\r\nFinally, in Step 7, Whisper sends the command output in an email message to the C\u0026C inbox found in Step 4. The email\r\nis formatted with these particulars:\r\nsending email address: inbox from Step 1,\r\nrecipient: email address from Step 4,\r\nsubject: Email (from the configuration file, line 14, key=\"send_sign\"),\r\nmessage body: Hey There! find your results in the attachment (hardcoded in the binary), and\r\nattachment: output from the commands in Step 6, encrypted with the same encryption key in Step 5 (configuration\r\nfile line 18, key=\"enc_key\" value=\"cXdlcmFzZHp4Y3ZmZ2d0aGhsZGZvZ2g/bHZtZ2xrZyE=\").\r\nSteps 4–7 continue in a loop using the same check-in schedule from Step 3 until the credentials hardcoded in the\r\nconfiguration file are changed.\r\nShahmaran backdoor\r\nhttps://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/\r\nPage 10 of 21\n\nThe Shahmaran backdoor, named after a mythical half-snake, half-woman creature from Iranian folklore, is a 64-bit PE\r\nthat was found in the startup folder as:\r\n%ROAMINGAPPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\adobeupdater.exe\r\nAt system startup, Shahmaran creates a Windows event object, SysPrep. It is possible that the Shahmaran developers\r\nchose SysPrep as the event name to blend into the background noise, as SysPrep is part of the Windows imaging process.\r\nWindows admins use it to create a standard Windows image (often referred to as a Gold or Golden image) before\r\ndeployment to enterprise systems. Figure 4 shows the SysPrep event object on a compromised system as seen by\r\nSysinternals’ WinObj.\r\nFigure 4. Sysinternals’ WinObj showing the SysPrep event object on a compromised system\r\nThe C\u0026C domain is hardcoded, olinpa[.]com, as is the port, 80, and the User-Agent string, of which there are two. The\r\ninitial connection to the C\u0026C uses an incomplete User-Agent string (it is missing the closing parenthesis):\r\nMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0\r\nSubsequent communication with the C\u0026C uses the corrected User-Agent string:\r\nMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\r\nShahmaran does not use any compression or encryption for network communications. And while the port is hardcoded\r\n(80), there are code fragments that check for the port in use and update communication variables if port 443 is used.\r\nAfter checking in with the C\u0026C server, Shahmaran executes any operator commands provided, returns any output from\r\nthose commands, then sleeps for 30 seconds before checking in with the C\u0026C server again, ad infinitum. Table 3 shows\r\nthe available operator commands and their functions.\r\nTable 3. Operator commands and their descriptions\r\nhttps://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/\r\nPage 11 of 21\n\nOperator command Description\r\n1 \u003cpath/filename\u003e\r\nReturns the datetime that the specified file was written to disk in UTC, prepended with id=\r\nand in the format YYYY/MM/DD HH:MM:SS.\r\n2 \u003cfilename\u003e\r\n\u003csource\u003e\r\n\u003cdestination\u003e\r\nMoves the specified file to the specified location. Returns the output of the file move\r\noperation prepended with id=.\r\n3 \u003cpath/filename\u003e Deletes the specified file. Returns the output of the file delete operation prepended with id=.\r\n4 \u003cpath/directory\u003e\r\nCreates the specified directory. Returns the output of the directory creation operation\r\nprepended with id=.\r\n5\r\nCreates a log file in the hardcoded location c:\\programdata\\~tmp.log, if it does not already\r\nexist.\r\nIf the file already exists, reads the contents and returns them to the C\u0026C server with the\r\nfile’s timestamp in UTC and in the format YYYY/MM/DD HH:MM:SS, then deletes the\r\nfile.\r\nIf the file does not exist, returns the filename and path.\r\nIf an error occurs, returns the error.\r\nAll returned data is prepended with s=.\r\n6 \u003cpath/filename\u003e\r\n\u003cdata\u003e\r\nChecks for the specified file. If found, writes the provided data to the file and returns s=\r\n\u003cprovided_filename\u003e. If not found, returns u=\u003cerror_code\u003e.\r\n7 \u003cpath/filename\u003e\r\nCreates the specified file. Returns s= appended with either the filename (success) or an error\r\ncode.\r\n8 \u003cpath/filename\u003e\r\nChecks for the presence of the specified filename in a compressed folder in the specified\r\nlocation on disk and creates it if it does not exist. Returns s= appended with the filename and\r\nthe timestamp in UTC in the format YYYY/MM/DD HH:MM:SS. The timestamp is used to\r\ndetermine whether the file was already present or was just created.\r\nAfter executing an operator command, Shahmaran sends the output to the C\u0026C server using the format t=\r\n\u003coperator_command\u003e\u0026\u003ccommand_output\u003e, such as t=1\u0026s=\u003cfile_timestamp\u003e.\r\nSlippery Snakelet backdoor\r\nSlippery Snakelet is a small Python-based backdoor with limited capabilities:\r\n1. executes a command via cmd.exe,\r\n2. downloads a file from a URL, and\r\n3. upload a file to the /newfile/ URI path.\r\nSlippery Snakelet has a hardcoded C\u0026C server, zaincell[.]store, and communicates with it via URLs of the form\r\nhttps://zaincell[.]store/request/\u003cUID\u003e, where the \u003cUID\u003e is the victim’s login domain and the compromised computer’s\r\nhttps://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/\r\nPage 12 of 21\n\nname separated by a period then base64 encoded (e.g., victim_domain.computer_name =\r\ndmljdGltX2RvbWFpbi5jb21wdXRlcl9uYW1l).\r\nSlippery Snakelet also has this hardcoded User-Agent:\r\nMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.104\r\nSafari/537.36\r\nThe C\u0026C server was disguised as an Arabian Gulf E-Learning site and the default HTML landing page does not contain\r\nany commands. When Slippery Snakelet supplies a correctly formatted request (e.g.,\r\nhttps://zaincell[.]store/request/\u003cUID\u003e), the C\u0026C server inserts \u003ccode\u003e tags such as\r\n\u003ccode\u003e6wjTyB3Y20KSzU1VUlTagp3aG9hbWkKbnVsbApudWxs\u003c/code\u003e into the page, and Slippery Snakelet collects\r\nand decodes these.\r\nSlippery Snakelet base64 decodes everything from the eighth character to the end of the string (i.e.,\r\nY20KSzU1VUlTagp3aG9hbWkKbnVsbApudWxs in the example above). The decoded output is newline separated and\r\ncontains the five items described in Table 4\r\nTable 4. Slippery Snakelet arguments and options\r\nCommands Options Example\r\nCommand Type\r\ncm (execute cmd.exe command)\r\ngetfl (download a file)\r\nsendfl (upload a file)\r\ncm\r\nCommand ID CMID (a random string) K55UISj\r\nCommand | FileUrl | FilePath Respectively for cm | getfl | sendfl whoami\r\nNull | SavePath | FilePath Respectively for cm | getfl | sendfl null\r\nNull Unknown null\r\nLaret and Pinar – reverse tunnels\r\nLaret and Pinar, whose names are derived from the internal names in each respective file, are 32-bit Windows binaries\r\nwritten in C#/.NET. Both have timestomped PE compilation timestamps – a tactic that is common amongst Middle\r\nEastern (and particularly Iran-nexus) threat groups – of 2058-02-07 00:12:48 and 2072-07-10 18:26:15, respectively. Both\r\nwere found on two systems at the locations in Table 5.\r\nTable 5. Locations of Laret and Pinar on disk, along with filenames\r\nReverse tunnel Location\r\nLaret\r\n%APPDATA%\\Local\\LEAP Desktop\\LEAPForm.exe\r\n\u003cunknown_location\u003e\\wincapsrv.exe\r\nPinar C:\\Program Files\\LEAP Office\\SystemMain.exe\r\nhttps://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/\r\nPage 13 of 21\n\nReverse tunnel Location\r\nC:\\Program Files\\LEAP Office\\winhttpproxy.exe\r\nIn the case where we do not have a location on disk for Laret but we do have the filename (wincapsrv.exe), we could see\r\nthat Laret was downloaded from http://178.209.51[.]61:8000/wincapsrv.exe via PowerShell. Unfortunately, we did not\r\nmanage to discover where it was written to disk. Attempts to enumerate the IP and download the file were rebuffed by the\r\nC\u0026C server, likely indicating that some form of compromised host identification is required in the connection setup\r\n(which we do not have).\r\nRegarding writing to disk, BladedFeline operators likely timestomped the file creation date of Pinar to 2017-09-14\r\n14:56:00 on one of the two compromised systems. How the file creation date was timestomped is an open question, but it\r\nshows that the attackers have compromised these two systems to such an extent that they probably have administrative\r\nrights.\r\nAt runtime, both Laret and Pinar rely on a configuration file in the same directory as their binaries for eight required\r\nvariables, which are listed in Table 6.\r\nTable 6. Laret and Pinar configuration parameters with default hardcoded values\r\nField Description Default value\r\nssh_host C\u0026C IP address. N/A\r\nssh_port   22\r\nssh_username C\u0026C username. N/A\r\nssh_pass C\u0026C password. N/A\r\nlocal_port   9666\r\nprocess_file File to execute before executing any reverse tunnel actions. N/A\r\nwait_time_minutes Time to wait between check-ins with the C\u0026C server. 10f (271)\r\nremote_port Port number used for port forwarding. 1234\r\nWe have thus far not collected the configuration file but have reconstructed its likely content, found in Figure 5, based on\r\ncode analysis. Reading from the configuration file is done by base64 decoding the encoded string to bytes, which results\r\nin strings of space-delimited, hexadecimal-encoded character values, which in turn are decoded into ASCII strings.\r\nFigure 5. Example contents of the configuration file used by Laret and Pinar reverse tunnels\r\nhttps://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/\r\nPage 14 of 21\n\nThe BladedFeline developers refer to this as Delocking and the opposite (writing to the configuration file) as Enlocking.\r\nThis probably indicates a passing familiarity with English, but the developers were far from proficient. Other examples of\r\nweak translation skills include:\r\ntime Alapsed and client not connected\r\naerpoo after\r\nWaiting connection ...\r\nerror in creaate ssh client\r\nInterestingly, at another point in the reverse tunnels, the developers correctly spelled the word elapsed (time elapsed!),\r\nwhich is indicative of poor coding and lax code review, if any is performed (e.g., there is a lot of command result text\r\noutput to the command line, as if the reverse tunnels were shipped immediately after successful testing was completed).\r\nThe actual function and flow of Laret and Pinar after collecting the parameters from the configuration file is quite banal,\r\nbut that is probably an intentional effort to blend in. Both look for a filename in the process_file parameter and, if a file\r\nmatching the supplied name is present, execute it and start two threads:\r\n1. Sets up an SSH connection to the C\u0026C IP in the configuration file using the Core.Renci.SshNet DLL included\r\nwithin the binary. Port 22 is hardcoded as the C\u0026C port and port forwarding is also enabled, using the remote_port\r\nvariable from the configuration file.\r\n2. Sets up a listener on the port specified in the local_port parameter of the configuration file. Note that any data sent\r\nto the listener is done in the clear (i.e., no encryption or obfuscation is used beyond extra \\0 characters that are\r\nremoved at the time of receipt by Laret and Pinar).\r\nIf no file is specified in process_file, both Laret and Pinar skip setting up a listener port.\r\nLaret and Pinar only differ significantly in that Pinar sets up a service, called Service1, for persistence prior to executing\r\nthe two threads. Laret has no means of persistence beyond its process running indefinitely.\r\nSupplementary tools\r\nFlog webshell\r\nFlog is a webshell found uploaded to VirusTotal from Iraq by the same submitter who uploaded one of the versions of\r\nWhisper. Based on that and the close timeframe (both were uploaded within a matter of minutes) we believe it was\r\ndeployed by BladedFeline to the victim in the Iraq government.\r\nFlog, so named for its filename – flogon.aspx – looks for specific input from the BladedFeline operators of the form\r\n\u003cpassword\u003e=\u003c(a|b|c|d)\u003e#\u003cpath\u003e\r\nFlog hashes the password, which must match the MD5 checksum 4CC88CE123B0DA8D75C0FE66A39339F6.\r\nVariables (a|b|c|d) are command options:\r\na returns, for the path provided, a directory listing and the byte length of each file,\r\nb creates a file on disk, using the path provided,\r\nc splits the path variable on a pipe and writes a file to disk where the first part of the path is the filename and the\r\nsecond part is the data to write, and\r\nd deletes a specified file given in the supplied path.\r\nhttps://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/\r\nPage 15 of 21\n\nHawking Listener\r\nHawking Listener, so named for its PDB string –\r\nC:\\Users\\g18u04\\source\\repos\\Hawking\\Hawking\\obj\\Release\\listner.pdb – is a 32-bit .NET/C# Windows binary with a\r\ntimestomped compilation time of 2057-11-14 16:59:12. It was also uploaded to VirusTotal by the same user who\r\nuploaded Flog and is probably a BladedFeline tool. It implements the .NET HTTPListener class to set up a listener with a\r\nhardcoded URL (which we cannot disclose in this case without revealing the identity of the victim). Alternatively,\r\nHawking can be provided at runtime with URLs for the listener socket to monitor.\r\nHawking listens for a provided QueryString (from a BladedFeline operator) with snmflwkejrhgsey as the key in the key-value pair. Once received, Hawking executes the value in cmd.exe and returns the output. To stop Hawking, operators\r\nneed only send stop as the key in the QueryString with a non-null variable in the value.\r\nHawking logs all interactions, runtime arguments, and command output to the file log.txt in its working directory.\r\nP.S. Olala\r\nP.S. Olala is a 32-bit .NET binary named for its intended function (executing PowerShell scripts) and its PDB path\r\nG:\\csharp\\psExecuterService\\ewsService\\obj\\Release\\Olala.pdb. It does not accept any runtime arguments. Rather, at\r\nruntime, P.S. Olala uses the Run(ServiceBase[]) method of the .NET ServiceBase class to register itself as a service with\r\nthe Service Control Manager (for persistence).\r\nWhen the P.S. Olala service is called, it spawns a thread and executes the function mainLoop, shown in Figure 6.\r\nEssentially, P.S. Olala is an executor of the PowerShell script stored in\r\n%APPDATA%\\Local\\Microsoft\\InputPersonalization\\TrainedDataStore.ps1.\r\nFigure 6. The main function of P.S. Olala\r\nUnfortunately, we were unable to collect any of the TrainedDataStore.ps1 scripts. However, contextual information\r\nindicates it is likely an executor of the Whisper backdoor, or one of the reverse tunnels (Laret or Pinar). The entire flow\r\n(P.S. Olala → TrainedDataStore → Whisper/Laret/Pinar) is probably an elongated persistence chain aiming to maintain\r\naccess.\r\nSheep Tunneler\r\nSheep Tunneler, a custom tunneling application that we named based on the PDB string\r\nC:\\Users\\sheep\\source\\repos\\MP\\MP\\obj\\Release\\MP.pdb), has been observed in the two following locations:\r\n%APPDATA%\\Local\\Microsoft\\Windows\\Ringtones\\RingService.exe\r\n%APPDATA%\\Local\\Microsoft\\Windows\\Shell\\mspsrv.exe\r\nhttps://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/\r\nPage 16 of 21\n\nSheep Tunneler can be executed in two modes: network tunneling (by using the runtime argument middle) or connect\r\nback (by using the arguments cb \u003cip\u003e:\u003cport\u003e).\r\nWhisper Protocol\r\nWhisper Protocol, so named for its filename (Protocol.pdf.exe) is a 64-bit Python-compiled Windows binary with a\r\ncompilation timestamp of 2024-03-11 09:01:20. It creates a folder in C:\\ProgramData\\VeeamUpdate and writes both\r\nWhisper and its configuration file to that folder. Whisper Protocol also copies itself to\r\n%APPDATA%\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\VeeamUpdate.lnk for persistence. Finally, it\r\nexecutes Whisper and exits gracefully.\r\nConclusion\r\nBladedFeline is an advanced threat group that specializes in targeting Iraqi and Kurdish victims, specifically\r\ngovernmental officials and organizations. We assess that the group is likely a subgroup of OilRig. We expect to find that\r\nBladedFeline will persist with implant development in order to maintain and expand access within its compromised\r\nvictim set, likely for cyberespionage.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com. \r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service,\r\nvisit the ESET Threat Intelligence page.\r\nIoCs\r\nFiles\r\nSHA-1 Filename Detection Description\r\n01B99FF47EC6394753F9\r\nCCDD2D43B3E804F9EE36\r\nAvamer.pdf.exe\r\nPython/Trojan\r\nDropper.Agent.GI\r\nPython-compiled dropper\r\nfor Spearal\r\n1C757ACCBC2755E83E53\r\n0DDA11B3F81007325E67\r\nWin_Updates.exe MSIL/Agent.EUM\r\nSpearal, a BladedFeline\r\nbackdoor.\r\n272CF34E8DB2078A3170\r\nCF0E54255D89785E3C50\r\nscr8B45.ps1\r\nPowerShell/Trojan\r\nDropper.Agent.AJU\r\nPowerShell script to\r\ninstall Spearal.\r\n37859E94086EC47B3665\r\n328E9C9BAF665CB869F6\r\nncms_demo.msi MSIL/Agent.EUM\r\nMSI inside the zip archive\r\nthat drops and executes a\r\nPowerShell script that in\r\nturn drops and executes\r\nSpearal.\r\n3D21E1C9DFBA38EC6997\r\nAE6E426DF9291F89762A\r\nflogon.aspx ASP/Agent.BI Flog webshell.\r\n4954E8ACE23B48EC55F1\r\nFF3A47033351E9FA2D6C\r\nwinsmsrv.exe\r\nMSIL/HackTool\r\n.Agent.YN\r\nPinar, a reverse tunnel.\r\nhttps://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/\r\nPage 17 of 21\n\nSHA-1 Filename Detection Description\r\n562E1678EC8FDC1D83A3\r\nF73EB511A6DDA08F3B3D\r\nLogonUl.exe\r\nWin64/OilRig_\r\nAGen.A\r\nRDAT backdoor.\r\n66BD8DB40F4169C7F0FC\r\nA3D5D15C978EFE143CF8\r\nProtocol.pdf.exe\r\nPython/Trojan\r\nDropper.Agent.FT\r\nWhisper Protocol, the\r\ndropper that writes and\r\nexecutes the Whisper\r\nbackdoor.\r\n6973D3FF8852A3292380\r\nB07858D43D0B80C0616E\r\nVeeamUpdate.exe MSIL/Agent.ERR Whisper backdoor.\r\n73D0FAA475C6E489B2C5\r\nC95BB51DEDE4719D199E\r\nwinhttpproxy.exe\r\nMSIL/HackTool\r\n.Agent.XY\r\nPinar, a reverse tunnel.\r\nB8AFC21EF2AA854896B9\r\n7F1C81B376DCDDE2466D\r\nRunExeActionAllowed\r\nList.exe\r\nMSIL/Agent.ERR Whisper backdoor.\r\nBB4FFCDBFAD40125080C\r\n13FA4917A1E836A8D101\r\nMFTD.exe MSIL/Tiny.GL Hawking Listener.\r\nBE0AD25B7B4834798490\r\n8175404996531CFD74B7\r\nvideosrv.exe Generik.BKYYERR VideoSRV, a reverse shell.\r\nE8E6E6AFEF3F574C1F52\r\n28BDB28ABB34F8A0D09A\r\nwincapsrv.exe\r\nMSIL/HackTool\r\n.Agent.XY\r\nLaret, a reverse tunnel.\r\nF28D8C5C2283019E6ED7\r\n88D20240ABC8554CADB5\r\nN/A MSIL/Agent.EUM\r\nZip archive that contains\r\nan MSI that drops and\r\nexecutes a PowerShell\r\nscript that in turn drops\r\nand executes Spearal.\r\nNetwork\r\nIP Domain Hosting provider First seen Details\r\n178.209.51[.]61 N/A\r\nNine Internet\r\nSolutions AG\r\n2023‑12‑18\r\nDistribution server for BladedFeline’s Laret\r\nreverse tunnel.\r\n185.76.78[.]177 N/A\r\nEDIS GmbH - Noc\r\nEngineer\r\nN/A C\u0026C used by Spearal.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 17 of the MITRE ATT\u0026CK framework.\r\nhttps://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/\r\nPage 18 of 21\n\nTactic ID Name Description\r\nReconnaissance T1595.002\r\nActive Scanning: Vulnerability\r\nScanning\r\nBladedFeline probably conducts\r\nvulnerability scanning against targets to\r\nidentify potentially vulnerable, exposed\r\napplications.\r\nResource\r\nDevelopment\r\nT1583.001 Acquire Infrastructure: Domains\r\nBladedFeline registers domains to use\r\nfor C\u0026C servers.\r\nT1583.003\r\nAcquire Infrastructure: Virtual\r\nPrivate Server\r\nBladedFeline uses VPS services to host\r\nC\u0026C servers.\r\nT1583 Acquire Infrastructure\r\nBladedFeline uses IPs for network\r\ninfrastructure, including distributing\r\nmalware and C\u0026C servers.\r\nT1586.002\r\nCompromise Accounts: Email\r\nAccounts\r\nBladedFeline uses compromised email\r\naccounts as C\u0026C servers.\r\nInitial Access T1190 Exploit Public-Facing Application\r\nBladedFeline probably exploits\r\nvulnerable public-facing applications\r\nfor initial access.\r\nExecution\r\nT1059.003\r\nCommand and Scripting Interpreter:\r\nWindows Command Shell\r\nBladedFeline uses the Windows\r\nCommand Shell to execute commands\r\non compromised endpoints.\r\nT1059.007\r\nCommand and Scripting Interpreter:\r\nJavaScript\r\nBladedFeline uses JavaScript webshells\r\nto execute commands on compromised\r\nendpoints.\r\nT1059.001\r\nCommand and Scripting Interpreter:\r\nPowerShell\r\nBladedFeline uses PowerShell to\r\nexecute commands on compromised\r\nendpoints.\r\nT1059.006\r\nCommand and Scripting Interpreter:\r\nPython\r\nBladedFeline uses Python as a dropper\r\nfor deploying backdoors to\r\ncompromised endpoints.\r\nT1559 Inter-Process Communication\r\nBladedFeline uses IPC as a means of\r\nlocal code execution in its malicious IIS\r\nmodule.\r\nT1569.002 System Services: Service Execution\r\nBladedFeline uses Windows services\r\nfor malware execution with Whisper\r\nand PrimeCache.\r\nPersistence\r\nT1547.001\r\nBoot or Logon Autostart Execution:\r\nRegistry Run Keys / Startup Folder\r\nThe Whisper backdoor creates a LNK\r\nfile in the startup folder for persistence.\r\nhttps://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/\r\nPage 19 of 21\n\nTactic ID Name Description\r\nT1546 Event Triggered Execution\r\nPrimeCache is loaded by an IIS Worker\r\nProcess (w3wp.exe) when the IIS server\r\nreceives an inbound HTTP request.\r\nDefense Evasion\r\nT1078 Valid Accounts\r\nBladedFeline uses legitimate accounts\r\nto exfiltrate data and bypass defenses,\r\nand as C\u0026C servers.\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nThe Whisper backdoor uses base64\r\nencoding to obfuscate data.\r\nT1070.004 Indicator Removal: File Deletion\r\nThe Python dropper for Whisper deletes\r\nitself and other install files after a\r\nsuccessful installation.\r\nT1070.006 Indicator Removal: Timestomp\r\nBladedFeline routinely timestomps the\r\ncompilation timestamps of malware that\r\nthe group develops.\r\nCredential\r\nAccess\r\nT1003.001\r\nOS Credential Dumping: LSASS\r\nMemory\r\nBladedFeline dumps LSASS from\r\nmemory to steal credentials.\r\nCommand and\r\nControl\r\nT1573.001\r\nEncrypted Channel: Symmetric\r\nCryptography\r\nThe Whisper backdoor uses AES\r\nencryption to send and receive data\r\nbetween the malware and the C\u0026C.\r\nT1071.001\r\nApplication Layer Protocol: Web\r\nProtocols\r\nPrimeCache uses standard web\r\nprotocols for communication with the\r\nC\u0026C server.\r\nT1132.001 Data Encoding: Standard Encoding\r\nPrimeCache uses standard encoding for\r\ncommunication with the C\u0026C server.\r\nT1573.002\r\nEncrypted Channel: Asymmetric\r\nCryptography\r\nPrimeCache uses RSA and AES-CBC\r\nfor C\u0026C communication.\r\nT1105 Ingress Tool Transfer\r\nPrimeCache has the capability to\r\ndownload additional files from the\r\nC\u0026C server for local execution.\r\nExfiltration\r\nT1048.001\r\nExfiltration Over Alternative\r\nProtocol: Exfiltration Over\r\nSymmetric Encrypted Non-C2\r\nProtocol\r\nThe Whisper backdoor uses AES\r\nencryption and email inboxes to send\r\nand receive data between the malware\r\nand the C\u0026C.\r\nT1041 Exfiltration Over C2 Channel\r\nPrimeCache exfiltrates data to a C\u0026C\r\nserver.\r\nhttps://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/\r\nPage 20 of 21\n\nSource: https://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/\r\nhttps://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/" ], "report_names": [ "bladedfeline-whispering-dark" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "cde987a8-c71f-49e2-b761-5b7fa2b4ada6", "created_at": "2022-10-25T16:07:23.706646Z", "updated_at": "2026-04-10T02:00:04.719127Z", "deleted_at": null, "main_name": "Hexane", "aliases": [ "ATK 120", "Cobalt Lyceum", "G1001", "Lyceum", "Operation Out to Sea", "Siamesekitten", "Yellow Dev 9" ], "source_name": "ETDA:Hexane", "tools": [ "DanBot", "DanDrop", "Decrypt-RDCMan.ps1", "Get-LAPSP.ps1", "James", "Milan", "kl.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "a7df240e-6750-4b71-99de-85831b92faa2", "created_at": "2022-10-25T15:50:23.859253Z", "updated_at": "2026-04-10T02:00:05.285965Z", "deleted_at": null, "main_name": "HEXANE", "aliases": [ "Lyceum", "Siamesekitten", "Spirlin" ], "source_name": "MITRE:HEXANE", "tools": [ "Milan", "netstat", "BITSAdmin", "DnsSystem", "DanBot", "ipconfig", "Mimikatz", "Kevin", "PoshC2" ], "source_id": "MITRE", "reports": null }, { "id": "8d76e350-dfb5-4733-800d-876de41f690d", "created_at": "2023-01-06T13:46:38.841887Z", "updated_at": "2026-04-10T02:00:03.119083Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [ "COBALT EDGEWATER" ], "source_name": "MISPGALAXY:DNSpionage", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4ce3fc37-6e62-4642-8ad8-fa33fb389518", "created_at": "2026-02-07T02:00:03.658496Z", "updated_at": "2026-04-10T02:00:03.958135Z", "deleted_at": null, "main_name": "BladedFeline", "aliases": [], "source_name": "MISPGALAXY:BladedFeline", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fb8f3a5f-01a9-498e-9396-52f844424c33", "created_at": "2023-01-06T13:46:39.045338Z", "updated_at": "2026-04-10T02:00:03.195743Z", "deleted_at": null, "main_name": "LYCEUM", "aliases": [ "Spirlin", "MYSTICDOME", "siamesekitten", "Chrono Kitten", "Storm-0133", "COBALT LYCEUM", "UNC1530" ], "source_name": "MISPGALAXY:LYCEUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4632103e-8035-4a83-9ecb-c1e12e21288c", "created_at": "2022-10-25T16:07:23.542255Z", "updated_at": "2026-04-10T02:00:04.64888Z", "deleted_at": null, "main_name": "DNSpionage", "aliases": [], "source_name": "ETDA:DNSpionage", "tools": [ "Agent Drable", "AgentDrable", "CACTUSPIPE", "DNSpionage", "DropperBackdoor", "Karkoff", "MailDropper", "OILYFACE" ], "source_id": "ETDA", "reports": null }, { "id": "386b1b0a-9217-46d4-a0d6-73d6286154e0", "created_at": "2025-08-07T02:03:24.760429Z", "updated_at": "2026-04-10T02:00:03.619131Z", "deleted_at": null, "main_name": "COBALT LYCEUM", "aliases": [ "DEV-0133 ", "HEXANE ", "ScorchedEpoch " ], "source_name": "Secureworks:COBALT LYCEUM", "tools": [ "DanBot", "MilanRAT", "RGDoor", "SharkWork RAT" ], "source_id": "Secureworks", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434691, "ts_updated_at": 1775826767, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e93801d881b30930f09b885a17eb3462d1d3f099.pdf", "text": "https://archive.orkl.eu/e93801d881b30930f09b885a17eb3462d1d3f099.txt", "img": "https://archive.orkl.eu/e93801d881b30930f09b885a17eb3462d1d3f099.jpg" } }