Whisper’s operational workflow involves seven distinct steps: gaining access to compromised email accounts, establishing inbox rules for command processing, sending periodic check-in messages, fetching encrypted operator commands from email attachments, decrypting and executing these commands, and finally returning results via encrypted email responses. Cybersecurity researchers at ESET have uncovered a sophisticated cyberespionage campaign conducted by BladedFeline, an Iranian-aligned advanced persistent threat (APT) group that has been systematically targeting Kurdish and Iraqi government officials since at least 2017. The group has deployed two particularly notable tools: Whisper, a backdoor that exploits Microsoft Exchange servers through email communications, and PrimeCache, a malicious Internet Information Services (IIS) module. However, analysis of compromised systems revealed the group had been operating since 2017, initially targeting officials within the Kurdistan Regional Government (KRG). Advanced threat actors have been infiltrating Middle Eastern government networks using innovative email-based malware and malicious web server modules for years, new research reveals. Rather than using traditional network protocols, Whisper operates by logging into compromised Microsoft Exchange webmail accounts and communicating with attackers through email attachments. The malware creates inbox rules to automatically process commands received via email, then executes them and returns results through encrypted email attachments. Starting with basic reverse shells and progressing to sophisticated backdoors, the group has maintained persistent access to victim networks across multiple countries, including Iraq, Kurdistan, and Uzbekistan. This assessment is based on code similarities between BladedFeline’s tools and known OilRig malware, particularly the RDAT backdoor, as well as overlapping targeting patterns and technical infrastructure. PrimeCache functions as a passive backdoor implemented as a native IIS module, allowing attackers to maintain persistent access to compromised web servers. The malware filters incoming HTTP requests, only processing those containing specific cookie headers that identify communications from BladedFeline operators. ESET researchers assess with medium confidence that BladedFeline operates as a subgroup of OilRig, a well-known Iranian APT group also known as APT34 or Hazel Sandstorm. The innovative use of legitimate Microsoft Exchange infrastructure for command and control represents a concerning evolution in APT tactics, potentially making detection and attribution more challenging for defenders.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 07 Jul 2025 14:15:20 +0000