Pulse Detail — Threat Intelligence

PULSE NAME

Whispering in the dark

WHITE BladedFeline AlienVault 2025-06-10 Modified: 2025-07-10

IOCs

MEDIUM VOLUME

ESET researchers uncovered a cyberespionage campaign by BladedFeline, an Iran-aligned APT group likely tied to OilRig. The group has targeted Kurdish and Iraqi government officials since at least 2017, using various malicious tools including the Whisper backdoor, PrimeCache IIS module, and reverse tunnels. BladedFeline maintains persistent access to high-ranking officials in both the Kurdistan Regional Government and Iraqi government, likely for espionage purposes. The group's toolset includes sophisticated backdoors, webshells, and custom tunneling applications. ESET assesses with medium confidence that BladedFeline is a subgroup of OilRig, based on shared code, targets, and tactics. The campaign also extended to a telecommunications provider in Uzbekistan.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1583 T1132.001 T1059.007 T1573.001 T1140 T1586.002 T1190 T1583.001 T1070.006 T1595.002 T1003.001 T1048.001 T1583.003 T1041 T1059.001 T1547.001 T1559 T1078 T1546 T1573.002 T1059.006 T1059.003 T1070.004 T1071.001 T1105 T1569.002

MALWARE FAMILIES

WhisperGate - S0689 PrimeCache Shahmaran Slippery Snakelet Laret Pinar Flog RDAT - S0495

Indicators of Compromise (33)

All FileHash-MD5 URL FileHash-SHA1 FileHash-SHA256

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	6cc148363200798a12091b97a17181a1	—	2025-06-10
URL	http://178.209.51.61:8000/wincapsrv.exe	—	2025-06-10
URL	https://zaincell.store/request/	—	2025-06-10
FileHash-MD5	1f1aaaf32be03ae7beb9d49f02de7669	MD5 of 6973d3ff8852a3292380b07858d43d0b80c0616e	2025-06-10
FileHash-MD5	66126dc088be2699fd55ae7eff5e6e15	MD5 of f28d8c5c2283019e6ed788d20240abc8554cadb5	2025-06-10
FileHash-MD5	6cc148363200798a12091b97a17181a1	MD5 of be0ad25b7b48347984908175404996531cfd74b7	2025-06-10
FileHash-MD5	7b62b055285b1c08e11ac98b3d3954bc	MD5 of 1c757accbc2755e83e530dda11b3f81007325e67	2025-06-10
FileHash-MD5	a79e4424116dc0a76a179507ac914578	MD5 of 66bd8db40f4169c7f0fca3d5d15c978efe143cf8	2025-06-10
FileHash-MD5	b5de3c4c582db7c2d2ce31c67cba0510	MD5 of 272cf34e8db2078a3170cf0e54255d89785e3c50	2025-06-10
FileHash-MD5	b817309621e43004b9f32c96d52dc2a0	MD5 of 01b99ff47ec6394753f9ccdd2d43b3e804f9ee36	2025-06-10
FileHash-MD5	d56b5fd6b8976c91d2537d155926afff	MD5 of bb4ffcdbfad40125080c13fa4917a1e836a8d101	2025-06-10
FileHash-MD5	fb164cdf119b0d4427bdcb51b45075b1	MD5 of 37859e94086ec47b3665328e9c9baf665cb869f6	2025-06-10
FileHash-SHA1	01b99ff47ec6394753f9ccdd2d43b3e804f9ee36	—	2025-06-10
FileHash-SHA1	1c757accbc2755e83e530dda11b3f81007325e67	—	2025-06-10
FileHash-SHA1	272cf34e8db2078a3170cf0e54255d89785e3c50	—	2025-06-10
FileHash-SHA1	37859e94086ec47b3665328e9c9baf665cb869f6	—	2025-06-10
FileHash-SHA1	3d21e1c9dfba38ec6997ae6e426df9291f89762a	—	2025-06-10
FileHash-SHA1	4954e8ace23b48ec55f1ff3a47033351e9fa2d6c	—	2025-06-10
FileHash-SHA1	66bd8db40f4169c7f0fca3d5d15c978efe143cf8	—	2025-06-10
FileHash-SHA1	6973d3ff8852a3292380b07858d43d0b80c0616e	—	2025-06-10
FileHash-SHA1	73d0faa475c6e489b2c5c95bb51dede4719d199e	—	2025-06-10
FileHash-SHA1	b8afc21ef2aa854896b97f1c81b376dcdde2466d	—	2025-06-10
FileHash-SHA1	bb4ffcdbfad40125080c13fa4917a1e836a8d101	—	2025-06-10
FileHash-SHA1	e8e6e6afef3f574c1f5228bdb28abb34f8a0d09a	—	2025-06-10
FileHash-SHA1	f28d8c5c2283019e6ed788d20240abc8554cadb5	—	2025-06-10
FileHash-SHA256	068f5adf9c87d0b3fa8a37056042e76139bb230a9fd559028eb13cdf360ebbaa	SHA256 of 6973d3ff8852a3292380b07858d43d0b80c0616e	2025-06-10
FileHash-SHA256	0b3a08a1d90bf52dbf5379c72b8e2b6e76aa1fbf2c2e6c2d32af99c4707598a7	SHA256 of f28d8c5c2283019e6ed788d20240abc8554cadb5	2025-06-10
FileHash-SHA256	1388f124c6af24eefe5483a5a50ab186abdf51a89875036f7383ea51139ab4b4	SHA256 of 37859e94086ec47b3665328e9c9baf665cb869f6	2025-06-10
FileHash-SHA256	3ab29bc71ddd272f33f17c5108c044a570610c06ccba16cde1a4aa67b1524a8b	SHA256 of 66bd8db40f4169c7f0fca3d5d15c978efe143cf8	2025-06-10
FileHash-SHA256	42acdf5051bc636dbbb56483fbca925238f1c5422497e2dda73f07b0653e56f2	SHA256 of bb4ffcdbfad40125080c13fa4917a1e836a8d101	2025-06-10
FileHash-SHA256	b85ffc8af90d4312aca9a81e0da00aabe6278fd9c92e933aec7e2da80c2c1f7e	SHA256 of 272cf34e8db2078a3170cf0e54255d89785e3c50	2025-06-10
FileHash-SHA256	dcdaa9da5ee4750b1084f7dd99faeed2c713595bb156ac6491b29c2f9e0a1ade	SHA256 of 01b99ff47ec6394753f9ccdd2d43b3e804f9ee36	2025-06-10
FileHash-SHA256	ec929123c9a7e9c60868381ba479f7567f0177d09b412e0a1bd4cecc448ba10d	SHA256 of 1c757accbc2755e83e530dda11b3f81007325e67	2025-06-10

References (1)

↗ https://www.welivesecurity.com/en/eset-research/bladedfeline-whispering-dark/