Skip to content
Ransomware group

Cyclops

Cyclops is a newly discovered, previously undocumented Go-based malware platform assessed to have been developed no earlier than December 2023 and deployed against targets in the Middle East in 2024.

Profile source: Mallory opens in a new tab

Cyclops

Family profile

Cyclops is a newly discovered, previously undocumented Go-based malware platform assessed to have been developed no earlier than December 2023 and deployed against targets in the Middle East in 2024. It provides arbitrary command execution, file upload and download, filesystem manipulation, and SSH-based port forwarding to enable lateral movement and network pivoting inside victim environments. The malware is controlled through a local HTTPS REST API that is exposed to operators via an SSH tunnel. It uses an embedded AES-128-CBC-encrypted configuration, performs a DNS-based validation step by resolving random subdomains under lialb.autoupdate[.]uk and comparing the result against an expected address pattern, and if validation succeeds starts an internal HTTPS server on 127.0.0.1:55561 using bundled TLS material. Reported operator functionality includes commands such as review for command execution, upload, download, pf for port forwarding, storage for asynchronous job/result handling, and server for shutdown. The malware reportedly uses the go-svc library to run as a service, which may support persistence on Windows. Cyclops is assessed as likely a successor to BellaCiao based on infrastructure and behavioral overlaps, and is attributed with medium-to-high confidence to Charming Kitten (APT35). Reported targeting includes a non-profit supporting innovation and entrepreneurship in Lebanon and a telecommunications company in Afghanistan. Noted infrastructure and indicators include SSH host 88.80.145[.]126:443, forwarding addresses 127.0.0.1:9090 and 127.0.30.3:9090, the autoupdate[.]uk infrastructure cluster, and a poorly detected sample with SHA-256 fafa68e626f1b789261c4dd7fae692756cf71881c7273260af26ca051a094a69 and original filename "Microsoft SqlServer.exe".

Ransomware.live

Operational record

View group record ↗

Reported operators

Threat actors

1 named in public reporting
Magic Hound

"This report introduces Cyclops, a newly discovered and previously undocumented malware platform written in Go... Cyclops allows operators to execute arbitrary commands on the target’s file system, as well as pivot inside the infected network."

MITRE ATT&CK

Cyclops in ATT&CK

14 distinct techniques

Reporting

Research mentioning Cyclops

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.