MalwareUsed by 2 actors

Whisper

Whisper is a 32-bit C#/.NET backdoor used by the Iran-aligned threat group BladedFeline, which ESET assesses with medium confidence to be a subgroup of OilRig. It has been observed in cyberespionage operations targeting Kurdish and Iraqi government officials, including Kurdistan Regional Government entities, and a regional telecommunications provider in Uzbekistan. The malware is described as offering remote code execution and data exfiltration capabilities.

Whisper operates by logging into a compromised Microsoft Exchange webmail account on an Exchange server and using that mailbox for command-and-control via email attachments. It creates or verifies an Exchange inbox rule named "MicosoftDefaultRules" that filters messages containing the string "PMO." It sends periodic check-in emails every 10 hours with the subject "Content" and a body containing a base64-encoded host identifier. Operator commands are base64-decoded and decrypted with AES. Reported capabilities include writing files, exfiltrating files, and executing PowerShell commands.

The malware has also been referred to as Veaty in reporting. High-confidence behavioral details directly mentioned in the source include its use of compromised Exchange webmail for covert communications, encrypted email attachments for tasking, and its role in long-term espionage campaigns conducted by BladedFeline against government and regional targets.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

BladedFeline

Whisper is a backdoor that logs into a compromised webmail account on a Microsoft Exchange server and uses it to communicate with the attackers via email attachments.

via eset welivesecurity blogwelivesecurity.com

OilRig

BladedFeline is known to employ a diverse malware toolkit, including backdoors like Shahmaran, Whisper, Spearal, and Optimizer, each offering remote code execution (RCE) and data exfiltration capabilities.

via sentinelone blogsentinelone.com

MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1586.002Email AccountsEvidence2

BladedFeline uses compromised email accounts as C&C servers.

Initial Access

1 technique

T1078Valid AccountsEvidence1

Whisper uses the credentials from the config file... to attempt to log into compromised webmail accounts... BladedFeline uses legitimate accounts to exfiltrate data and bypass defenses, and as C&C servers.

Execution

1 technique

T1059.001PowerShellEvidence1

P.S. Olala is a 32-bit .NET binary named for its intended function (executing PowerShell scripts)... Essentially, P.S. Olala is an executor of the PowerShell script stored in %APPDATA%\Local\Microsoft\InputPersonalization\TrainedDataStore.ps1.

Persistence

1 technique

T1078Valid AccountsEvidence1

Privilege Escalation

2 techniques

T1055Process InjectionEvidence1

Eset first observed it in 2023, when it planted a backdoor into systems used by government diplomats from the Kurdistan Regional Government.

T1078Valid AccountsEvidence1

Stealth

4 techniques

T1055Process InjectionEvidence1

Eset first observed it in 2023, when it planted a backdoor into systems used by government diplomats from the Kurdistan Regional Government.

T1070.006TimestompEvidence1

Both have timestomped PE compilation timestamps – a tactic that is common amongst Middle Eastern (and particularly Iran-nexus) threat groups... Both these versions of Whisper have timestomped compilation timestamps... BladedFeline routinely timestomps the compilation timestamps of malware that the group develops.

T1078Valid AccountsEvidence1

T1140Deobfuscate/Decode Files or InformationEvidence1

The config file... is in XML format with its key and value strings base64 encoded... Whisper decrypts the operator commands. It does so by first base64 decoding the string containing the command...

Command and Control

3 techniques

T1071.003Mail ProtocolsEvidence1

BladedFeline used a backdoor its dubs Whisper which, when planted inside a target device, logged into a compromised webmail account on a Microsoft Exchange server and used it to communicate with the attackers through email attachments.

T1105Ingress Tool TransferEvidence1

the Trojan checks if it is running on a virtual machine, collects information about the computer, downloads the payload from the server, and adds a scheduled task.

T1573.001Symmetric CryptographyEvidence1

Whisper decrypts the operator commands... using the .NET AES class... and attachment: output from the commands in Step 6, encrypted with the same encryption key...

Exfiltration

1 technique

T1048.001Exfiltration Over Symmetric Encrypted Non-C2 ProtocolEvidence1

The Whisper backdoor uses AES encryption and email inboxes to send and receive data between the malware and the C&C.

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Hashes

1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

hash.md5●●●●●●●●●●●●View more in app6 years ago

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

the hacker newsNews

Jun 9, 2025

⚡ Weekly Recap: Chrome 0-Day, Data Wipers, Misused Tools and Zero-Click iPhone Attacks

Backdoor used in targeted intrusions against Kurdish and Iraqi government officials.

sentinelone blogNews

Jun 6, 2025

The Good, the Bad and the Ugly in Cybersecurity – Week 23

Backdoor used by BladedFeline providing remote code execution and data exfiltration.

bank info securityNews

Jun 5, 2025

Iranian Espionage Group Caught Spying On Kurdish Officials

Backdoor malware used by the BladedFeline APT group to maintain access to compromised systems, exfiltrate data, and communicate with attackers via compromised webmail accounts.

the hacker newsNews

Jun 5, 2025

Iran-Linked BladedFeline Hits Iraqi and Kurdish Targets with Whisper and Spearal Malware

C#/.NET backdoor that uses a compromised Microsoft Exchange webmail account for C2, communicating via email attachments.

+1 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.