By Tara Aziz
For nearly eight years, a covert cyber-espionage campaign was quietly embedded inside the heart of Kurdish and Iraqi governance. In 5th of June 2025, cybersecurity firm ESET revealed the operation: BladedFeline, an Iran-aligned threat actor that breached government systems, spied on senior officials, and exfiltrated sensitive data without detection.
The report confirms what many insiders long suspected, Kurdistan’s digital infrastructure is deeply vulnerable. Yet despite the scale and political implications of the breach, no local media outlets have reported on it. In a region surrounded by geopolitical tension, this silence is more than oversight—it’s part of the problem.
Who is BladedFeline?
BladedFeline is an advanced persistent threat (APT) actor linked to Iran, believed to be either a subdivision or close affiliate of the well-known OilRig (APT34) group. It has been active since at least September 2017, when it first established a foothold in the systems of the Kurdistan Regional Government (KRG). The group’s long-term presence and targeting strategy suggest a high level of operational discipline, planning, and regional knowledge.
ESET researchers attribute the campaign to Iran with medium confidence, based on malware similarities, infrastructure overlaps, and shared tools with other documented OilRig operations. This attribution aligns with Iran’s long-standing cyber operations aimed at regional influence and intelligence gathering.
Targets and Strategic Objectives
BladedFeline’s primary targets include:
• Diplomatic and governmental entities in Iraqi Kurdistan
• Federal Iraqi government systems
• A telecommunications provider in Uzbekistan
These targets reflect a clear strategic interest in institutions critical to political negotiations, oil sector governance, and international diplomacy. For Iran, such access enables surveillance of Kurdish officials’ communications, particularly those involving Western allies, and offers insight into Iraq’s internal political landscape.
Toolset and Techniques
BladedFeline employs a diverse and highly stealthy set of tools, many of which are previously unseen or evolved versions of known OilRig malware. Key components include:
1. Shahmaran: A simple but persistent backdoor, first seen in 2023, allowing attackers to execute commands, upload and download files, and browse directories remotely.
2. Whisper: A C# backdoor that exploits Microsoft Exchange webmail. It communicates via specially crafted email attachments and maintains access through legitimate user sessions.
3. PrimeCache: An implant embedded within Microsoft’s IIS (Internet Information Services) web server, designed to intercept and manipulate traffic. PrimeCache shares similarities with OilRig’s previously known RDAT backdoor, both in code and behavior.
4. Laret and Pinar: Reverse tunneling tools that create covert communication channels, ensuring persistence even when surface-level indicators are removed.
5. Supporting Tools:
o VideoSRV: A reverse shell utility previously attributed to OilRig.
o Spearal and Optimizer: DNS tunneling tools.
o Slippery Snakelet: A Python-based implant.
o Flog: A webshell for maintaining access.
The use of these tools underscores a strategy focused on stealth, long-term access, and multi-layered evasion. Their communications are encrypted, and many are embedded in legitimate services, making detection particularly difficult.
Geopolitical Context and Attribution
The campaign is consistent with Iran’s broader cyber strategy, which includes surveillance of neighboring states, influence operations, and espionage against Western-aligned entities. The targeting of Kurdish and Iraqi officials aligns with Tehran’s concerns about Kurdish autonomy, foreign diplomatic engagement, and energy control.
Attribution to OilRig is supported by multiple technical indicators:
• Code overlap between PrimeCache and RDAT
• Use of shared tools (e.g., VideoSRV, DNS tunnels)
• Victimology consistent with past OilRig campaigns
The Political Backdrop: Why Kurdistan?
To understand why Kurdish institutions were targeted, one must revisit the shifting geopolitical terrain of the past decade.
Since the fall of Saddam Hussein, the Kurdistan Region of Iraq (KRI)has enjoyed a degree of political and economic autonomy. Its oil exports, growing diplomatic ties with Western governments, and interest in digital transformation have made it a unique actor, often walking a tightrope between Iran, Turkey, Baghdad, and Washington.
Iran, deeply wary of Kurdish nationalism and Western influence on its borders, has long exercised pressure through both overt and covert channels. Cyberwarfare is just one of them. Unlike drones or militias, cyber tools leave few visible traces, making them a quiet yet powerful instrument of influence.
More Than an IT Problem
The implications of BladedFeline’s operation extend far beyond breached inboxes. This was surveillance at a diplomatic level, potentially shaping negotiations, exposing internal communications, and influencing decision-making across ministries.
It also highlights the urgent cybersecurity gaps in Iraqi and Kurdish institutions. Most ministries lack advanced endpoint detection systems. Few have cyber incident response protocols. And even fewer train their staff to recognize threats like phishing emails or suspicious logins.
What’s more concerning is the apparent lack of national dialogue around digital sovereignty. Who protects the servers of Kurdish diplomats? How are data breaches handled in court? Where is the legislative shield?
