The 'Whispering in the dark' campaign is a cyberespionage operation attributed to BladedFeline, an Iran-aligned advanced persistent threat (APT) group likely linked to the OilRig threat actor. Active since at least 2017, BladedFeline has targeted high-ranking officials within the Kurdistan Regional Government and the Iraqi government, as well as a telecommunications provider in Uzbekistan. The group employs a sophisticated and diverse toolset including the Whisper backdoor, PrimeCache IIS module, custom reverse tunneling applications, webshells, and other malware components. These tools enable persistent access, stealthy lateral movement, and data exfiltration. The use of IIS modules and reverse tunnels suggests exploitation of web infrastructure to maintain covert communication channels. ESET researchers have identified shared code, tactics, and targeting patterns linking BladedFeline to OilRig, reinforcing the attribution. The campaign's focus on government officials and critical infrastructure indicates a strategic espionage objective, likely to gather sensitive political, military, or economic intelligence. The technical sophistication and persistence of the group demonstrate a well-resourced adversary capable of evading detection and maintaining long-term access to high-value targets.

For European organizations, the direct impact of this campaign may be limited given the primary targeting of Middle Eastern government entities and a Central Asian telecom provider. However, European entities with diplomatic, economic, or intelligence ties to the Kurdistan Regional Government, Iraqi government, or regional telecom sectors could be at risk of collateral targeting or secondary compromise. The espionage tools used by BladedFeline could be adapted or redeployed against European government agencies, critical infrastructure, or private sector organizations involved in Middle Eastern affairs. The presence of reverse tunnels and webshells indicates potential for covert data exfiltration and lateral movement, which could compromise confidentiality and integrity of sensitive information. Additionally, the campaign highlights the ongoing threat posed by Iran-aligned APTs to geopolitical adversaries and partners, underscoring the need for vigilance in European intelligence and security communities. The campaign's medium severity reflects moderate risk but with potential for escalation or broader targeting.

European organizations should implement targeted defenses against advanced persistent threats with espionage capabilities. Specific recommendations include: 1) Conducting thorough security audits of IIS web servers and associated modules to detect unauthorized or malicious components like PrimeCache; 2) Monitoring network traffic for anomalous reverse tunneling or covert communication channels, especially outbound connections to suspicious or foreign IP addresses; 3) Deploying endpoint detection and response (EDR) solutions capable of identifying stealthy backdoors such as Whisper and related malware behaviors; 4) Applying strict access controls and multi-factor authentication for administrative accounts to prevent unauthorized persistence; 5) Enhancing threat hunting capabilities focused on detecting webshells and lateral movement techniques; 6) Sharing threat intelligence related to BladedFeline indicators and tactics with national cybersecurity centers and relevant European CERTs; 7) Conducting regular user awareness training to recognize spear-phishing or social engineering attempts that could facilitate initial compromise; 8) Ensuring timely patching of web infrastructure and related software to reduce exploitation surfaces; and 9) Collaborating with international partners to track and respond to Iran-aligned APT activities.