MalwareUsed by 2 actors

Laret

Laret is a 32-bit .NET reverse tunneling tool used by the Iran-aligned threat group BladedFeline, which ESET assesses with medium confidence to be a subgroup or sub-cluster of OilRig (APT34/Hazel Sandstorm). It is used to maintain access to compromised networks as part of long-term cyberespionage operations. Reporting places its use against Kurdish and Iraqi government officials, Kurdistan Regional Government environments, and related regional targets; BladedFeline activity also affected a regional telecommunications provider in Uzbekistan. Laret uses SSH-based port forwarding and relies on an external configuration file for command-and-control parameters. Unlike the related tunneling tool Pinar, Laret does not include built-in persistence. It has been observed alongside other BladedFeline tooling including Whisper, PrimeCache, Shahmaran, Slippery Snakelet, Hawking Listener, Flog, P.S. Olala, and Sheep Tunneler.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

BladedFeline

We analyze two reverse tunnels (Laret and Pinar), a backdoor (Whisper), a malicious IIS module (PrimeCache), and various supplementary tools.

via eset welivesecurity blogwelivesecurity.com

OilRig

The threat group has also deployed newer implants like Slippery Snakelet and Hawking Listener, as well as tunneling tools Laret and Pinar for persistence.

via sentinelone blogsentinelone.com

MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1583Acquire InfrastructureEvidence1

BladedFeline uses IPs for network infrastructure, including distributing malware and C&C servers.

Execution

1 technique

T1059.001PowerShellEvidence1

P.S. Olala is a 32-bit .NET binary named for its intended function (executing PowerShell scripts)... Essentially, P.S. Olala is an executor of the PowerShell script stored in %APPDATA%\Local\Microsoft\InputPersonalization\TrainedDataStore.ps1.

Stealth

2 techniques

T1070.006TimestompEvidence1

Both have timestomped PE compilation timestamps – a tactic that is common amongst Middle Eastern (and particularly Iran-nexus) threat groups... Both these versions of Whisper have timestomped compilation timestamps... BladedFeline routinely timestomps the compilation timestamps of malware that the group develops.

T1140Deobfuscate/Decode Files or InformationEvidence1

The config file... is in XML format with its key and value strings base64 encoded... Whisper decrypts the operator commands. It does so by first base64 decoding the string containing the command...

Command and Control

1 technique

T1105Ingress Tool TransferEvidence1

PrimeCache action... u AES-encrypted file content Local filename Creates a local file with the specified name and content... In the case where we do not have a location on disk for Laret... Laret was downloaded from http://178.209.51[.]61:8000/wincapsrv.exe via PowerShell.

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

1 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other

1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

ip.v4●●●●●●●●●●●●View more in app1 year ago

uri●●●●●●●●●●●●View more in app1 year ago

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

sentinelone blogNews

Jun 6, 2025

The Good, the Bad and the Ugly in Cybersecurity – Week 23

Tunneling tool used by BladedFeline to support persistence (exact protocol/implementation not detailed in the content).

the hacker newsNews

Jun 5, 2025

Iran-Linked BladedFeline Hits Iraqi and Kurdish Targets with Whisper and Spearal Malware

Tunneling tool used to maintain access to target networks.

eset welivesecurity blogNews

Jun 5, 2025

BladedFeline: Whispering in the dark

A 32-bit .NET reverse tunnel that reads a local configuration file, establishes an SSH connection to a C2 server, enables port forwarding, and can optionally execute a specified file before tunneling.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.