Threat Research

Cyclops: A Potential Alternative to BellaCiao

Harfanglab

Cyclops is a Go-based malware platform discovered in 2024, believed to be a successor to BellaCiao and attributed to Charming Kitten (APT 35). It enables executing arbitrary commands and pivoting within infected networks, and is controlled through an HTTP REST API exposed via an SSH tunnel. #Cyclops #BellaCiao #CharmingKitten #APT35 #Lebanon #Afghanistan #SSH #Go

Keypoints

  • Cyclops is a Go-based malware platform discovered in 2024.
  • It enables command execution and network pivoting on infected systems.
  • Controlled via an HTTP REST API within an SSH tunnel.
  • Attributed to the Charming Kitten threat actor, linked to BellaCiao.
  • Limited samples suggest it is in early development, with development likely completed in December 2023.
  • Targets include a Lebanese non-profit and an Afghan telecommunications company, indicating Middle East focus.

MITRE Techniques

  • [T1071] Command and Control – Brief description of how it was used. Quote relevant content using bracket (‘Utilizes HTTP REST API for command execution.’ ‘Exposed via SSH tunnel for secure communication.’)
  • [T1059] Execution – Brief description of how it was used. Quote relevant content using bracket (‘Allows execution of arbitrary commands on the target system.’)
  • [T1547] Persistence – Brief description of how it was used. Quote relevant content using bracket (‘Can run as a service using the go-svc library.’)
  • [T1081] Credential Access – Brief description of how it was used. Quote relevant content using bracket (‘Uses basic HTTP authentication for API access.’)
  • [T1210] Exploitation of Remote Services – Brief description of how it was used. Quote relevant content using bracket (‘Potentially deployed following exploitation of vulnerable services.’)

Indicators of Compromise

  • [SHA-256] Cyclops sample – fafa68e626f1b789261c4dd7fae692756cf71881c7273260af26ca051a094a69
  • [Domain] Cyclops validator – autoupdate[.]uk
  • [IP] Cyclops/ validatorNS – 88.80.145[.]126
  • [IP] Related infrastructure – 88.80.145[.]93
  • [URL] REST API endpoint – hxxps://127.0.0.1:55561/api/v3/update
  • [Domain] Possibly associated domains – mail-updateservice[.]info

Read more: https://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/