MalwareUsed by 2 actors

Spearal

Spearal is a .NET backdoor used by the Iran-aligned threat group BladedFeline, which ESET assesses with medium confidence to be a sub-cluster of OilRig (APT34). It has been reported in multi-stage intrusion campaigns targeting Kurdish and Iraqi government officials and entities, with broader BladedFeline targeting also including the Kurdistan Regional Government, Iraqi government networks, diplomatic officials, governmental organizations in Azerbaijan, and a regional telecommunications provider in Uzbekistan. Spearal is described as a bespoke backdoor that uses DNS tunneling for command-and-control communication. Reporting places it alongside other BladedFeline backdoors such as Whisper/Veaty and Optimizer, and the group’s toolkit is described as providing remote code execution and data exfiltration capabilities. The initial access vector for related KRG and Iraqi intrusions is unclear, though researchers suspected exploitation of an internet-facing application in some cases. No Spearal-specific indicators of compromise beyond its malware family name and its DNS-tunneling C2 mechanism are directly provided in the content.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

BladedFeline

Win_Updates.exe ... Spearal, a BladedFeline backdoor.

via eset welivesecurity blogwelivesecurity.com

OilRig

...the group intensified operations against Iraqi government entities through a multi-stage intrusion campaign deploying novel malware families, including the Veaty and Spearal backdoors...

via trellix blogtrellix.com

MITRE ATT&CK

Techniques & procedures

7 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566PhishingEvidence1

“Initial access continued to rely on spear phishing — delivering macro-enabled documents or malicious links …” / “Iranian-linked threat actors have commonly used phishing (T1566) as the primary vector for initial access …”

Execution

1 technique

T1204User ExecutionEvidence1

“…often leading to execution via user execution (T1204) of malicious files …”

Stealth

2 techniques

T1036MasqueradingEvidence1

Defense evasion has remained a critical phase, where threat actors employ multiple obfuscation techniques (T1140) and masquerading (T1036) to bypass security controls.

T1140Deobfuscate/Decode Files or InformationEvidence1

“Defense evasion … employ multiple obfuscation techniques (T1140) …” plus described obfuscation (polyglots, XOR, double extensions, packed payloads, layered encryption).

Command and Control

3 techniques

T1071Application Layer ProtocolEvidence1

Finally, for command and control and exfiltration, Iranian-linked groups most commonly rely on application layer protocols (T1071), such as HTTP

T1071.004DNSEvidence1

These backdoors relied on custom DNS tunneling and email-based command-and-control communications

T1572Protocol TunnelingEvidence1

“custom DNS tunneling … hallmark” / “proxy-chaining … protocol tunneling tools such as Ngrok and ZeroTier”

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

1 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting

ip.v4●●●●●●●●●●●●View more in app1 year ago

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app

trellix blogNews

Mar 2, 2026

The Iranian Cyber Capability 2026

APT34 backdoor using custom DNS tunneling and email-based C2, deployed against Iraqi government targets.

the hacker newsNews

Jun 9, 2025

⚡ Weekly Recap: Chrome 0-Day, Data Wipers, Misused Tools and Zero-Click iPhone Attacks

Backdoor used in targeted intrusions against Kurdish and Iraqi government officials.

sentinelone blogNews

Jun 6, 2025

The Good, the Bad and the Ugly in Cybersecurity – Week 23

Backdoor used by BladedFeline providing remote code execution and data exfiltration.

the hacker newsNews

Jun 5, 2025

Iran-Linked BladedFeline Hits Iraqi and Kurdish Targets with Whisper and Spearal Malware

.NET backdoor that uses DNS tunneling for command-and-control communications.

+1 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping7

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.