"This report introduces Cyclops, a newly discovered and previously undocumented malware platform written in Go... Cyclops allows operators to execute arbitrary commands on the target’s file system, as well as pivot inside the infected network."
Cyclops
Cyclops is a newly discovered, previously undocumented Go-based malware platform assessed to have been developed no earlier than December 2023 and deployed against targets in the Middle East in 2024.
Profile source: Mallory opens in a new tabCyclops
Family profile
Cyclops is a newly discovered, previously undocumented Go-based malware platform assessed to have been developed no earlier than December 2023 and deployed against targets in the Middle East in 2024. It provides arbitrary command execution, file upload and download, filesystem manipulation, and SSH-based port forwarding to enable lateral movement and network pivoting inside victim environments. The malware is controlled through a local HTTPS REST API that is exposed to operators via an SSH tunnel. It uses an embedded AES-128-CBC-encrypted configuration, performs a DNS-based validation step by resolving random subdomains under lialb.autoupdate[.]uk and comparing the result against an expected address pattern, and if validation succeeds starts an internal HTTPS server on 127.0.0.1:55561 using bundled TLS material. Reported operator functionality includes commands such as review for command execution, upload, download, pf for port forwarding, storage for asynchronous job/result handling, and server for shutdown. The malware reportedly uses the go-svc library to run as a service, which may support persistence on Windows. Cyclops is assessed as likely a successor to BellaCiao based on infrastructure and behavioral overlaps, and is attributed with medium-to-high confidence to Charming Kitten (APT35). Reported targeting includes a non-profit supporting innovation and entrepreneurship in Lebanon and a telecommunications company in Afghanistan. Noted infrastructure and indicators include SSH host 88.80.145[.]126:443, forwarding addresses 127.0.0.1:9090 and 127.0.30.3:9090, the autoupdate[.]uk infrastructure cluster, and a poorly detected sample with SHA-256 fafa68e626f1b789261c4dd7fae692756cf71881c7273260af26ca051a094a69 and original filename "Microsoft SqlServer.exe".
Ransomware.live
Operational record
Reported operators
Threat actors
1 named in public reportingMITRE ATT&CK
Cyclops in ATT&CK
14 distinct techniquesTechniques
14 techniquesReporting
Research mentioning Cyclops
Cyclops: a likely replacement for BellaCiao - HarfangLab
"This report introduces Cyclops, a newly discovered and previously undocumented malware platform written in Go... Cyclops allows operators to execute arbitrary commands on the target’s file system, as well as pivot inside the infected network."
Sekoia.io mid-2023 Ransomware Threat Landscape
...newly launched RaaS programs such as Cyclops integrating a custom infostealer to the attack kit rented to affiliates.