BladedFeline is an advanced persistent threat (APT) group aligned with Iranian interests, likely connected to the OilRig threat actor. This group has been conducting a cyberespionage campaign since at least 2017, primarily targeting Kurdish and Iraqi government officials, as well as a telecommunications provider in Uzbekistan. The campaign employs a sophisticated toolkit that includes reverse tunnels, backdoors, and a malicious IIS (Internet Information Services) module named PrimeCache. PrimeCache shares code similarities with OilRig's RDAT backdoor, indicating possible shared development or code reuse among Iran-aligned groups. A key malware component is the Whisper backdoor, which stealthily communicates via compromised email accounts, enabling covert command and control (C2) channels that evade traditional network monitoring. The campaign leverages multiple MITRE ATT&CK techniques such as credential dumping (T1003.001), command execution via PowerShell and other scripting languages (T1059.001, T1059.007), exploitation of IIS vulnerabilities (T1190), and persistence mechanisms (T1547.001, T1546). The use of malicious IIS modules allows attackers to maintain a foothold on web servers, intercept or manipulate web traffic, and pivot within victim networks. The campaign’s focus on high-ranking officials and critical infrastructure underscores its strategic espionage intent rather than financial gain. Indicators of compromise include specific malware hashes and suspicious domains used for C2 communications. Although no known public exploits are currently reported, the campaign’s longevity and tool sophistication demonstrate a well-resourced adversary capable of stealthy, persistent access and evasion of detection through modular malware and covert communication channels.

For European organizations, the direct impact of BladedFeline is currently limited due to its regional focus on Middle Eastern government and telecommunications sectors. However, European entities with strategic partnerships, diplomatic ties, or business interests in the Middle East—especially in energy, telecommunications, or government affairs—may face collateral risks such as supply chain compromises or indirect targeting. Organizations operating IIS web servers or managing email infrastructure could be vulnerable to stealthy backdoors and covert C2 channels similar to those used by BladedFeline. If the group expands its targeting scope or if other threat actors adopt similar tactics, European organizations could experience espionage risks including sensitive data exfiltration, credential theft, and long-term network persistence. The campaign’s sophisticated use of reverse tunnels and modular malware complicates detection and incident response, increasing the risk of prolonged undetected intrusions. The primary concern is confidentiality breaches of sensitive government or corporate information, with potential secondary impacts on data integrity and availability if attackers choose to disrupt or manipulate services.

European organizations should implement targeted defenses beyond generic best practices. Specifically, entities running IIS web servers must conduct thorough audits and continuous monitoring for unauthorized or suspicious IIS modules, utilizing file integrity monitoring and anomaly detection to identify malicious components like PrimeCache. Email infrastructure should be hardened by enforcing multi-factor authentication (MFA), monitoring for unusual login patterns, and deploying advanced threat protection solutions to detect compromised accounts used for covert C2 communications. Network segmentation should be employed to isolate critical web and email servers, limiting lateral movement opportunities for attackers. Deploying network traffic analysis tools capable of detecting covert channels, such as anomalous email traffic or reverse tunnels, will enhance early detection capabilities. Regular threat hunting exercises focused on TTPs associated with BladedFeline—including credential dumping, persistence, and command execution techniques—will improve incident response readiness. Patch management should prioritize known IIS vulnerabilities to reduce the attack surface, even though no specific exploits are currently reported. Finally, active sharing of threat intelligence with regional and sector-specific Information Sharing and Analysis Centers (ISACs) will strengthen collective defense against evolving espionage campaigns.