Researchers have uncovered a new and previously undocumented malware platform named “Cyclops.” Written in the Go programming language, Cyclops has been linked to the notorious hacking group Charming Kitten, also known as APT 35.
This malware platform enables operators to execute arbitrary commands on targeted systems, posing a severe threat to cybersecurity in the Middle East and potentially beyond.
Cyclops first emerged in July 2024, when researchers identified a poorly detected binary associated with the BellaCiao malware, which had previously been linked to Charming Kitten.
The discovery suggests Cyclops may be a successor to BellaCiao, with development likely completed in December 2023. The malware platform is controlled through an HTTP REST API, exposed via an SSH tunnel, allowing operators to manipulate the target’s file system and pivot within the infected network.
Poor detection of the identified binary on a public online multiscanner service, as of July 30, 2024
Infection Chain
According to the HarfangLabs reports, the exact method of Cyclops deployment remains unclear. However, based on past incidents involving BellaCiao, researchers believe Cyclops could be deployed on servers through the exploitation of vulnerable services, such as ASP .NET webshells or Exchange Web server vulnerabilities.
The malware’s filename, “Microsoft SqlServer.exe,” suggests an attempt to impersonate legitimate server processes.
| Filename | Microsoft SqlServer.exe |
| Compiler | Go 1.22.4 |
| Hash (SHA256) | fafa68e626f1b789261c4dd7fae692756cf71881c7273260af26ca051a094a69 |
Malware Composition
Cyclops is a sophisticated malware platform written in Go, utilizing the go-svc library to run as a service on Windows systems. It allows operators to execute arbitrary commands, manipulate the file system, and use the infected machine to pivot into the network.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
The binary’s dependencies indicate that development concluded in December 2023, with the Go compiler version 1.22.4 used, released in June 2024.
SSH Tunneling and HTTPS Server
Upon startup, Cyclops loads an AES-128 CBC encrypted configuration, which includes details about its command and control (C2) server.
The malware uses SSH tunneling to forward ports to the C2 server, and it starts a built-in HTTPS server to handle incoming requests. The server employs a modified version of the gorilla/mux package for handling HTTPS requests, with basic HTTP authentication implemented manually.
{
"StartDelay": 5000
"SonarConfigs": {
"Cycle": 1800000,
"HostName": "lialb.autoupdate[.]uk",
"HostNameFormat": "%s.%s",
"ExpectedAddress": [REDACTED]
},
"BeamConfigs": {
"BeamAgent": "SSH-2.2-OpenSSH_for_Windows_8.1",
"UserName": [REDACTED],
"Password": [REDACTED],
"Host": "88.80.145[.]126:443",
"LocalAddress": "127.0.0.1:9090",
"RemoteAddress": "127.0.30.3:9090",
"Retry": 10
}
}REST API Control Channel
Cyclops’s REST API control channel is a critical component, allowing operators to send commands through a single endpoint. The API accepts only POST requests, with payloads required to be in a multipart file format. Commands include arbitrary command execution, file upload and download, and port forwarding via SSH tunnels.
| Size (bytes) | Name (ours) | Description |
| 36 | Unused | |
| 4 | command_description_size | Size of the next field (network byte order) |
| command_description_size | command_description | The requested command passed as a JSON object |
| Until the end of the packet | command_arguments | The parameters to give to the command, also as a JSON object |
Command Structure
Cyclops supports various command types, each with specific functionalities:
- Review: Executes arbitrary commands using Go’s os.exec package.
- Upload/Download: Facilitates file transfer between the infected machine and the C2 server.
- Port Forwarding: Sets up SSH tunnels for port forwarding.
- Server Management: Controls the internal HTTPS server, including shutdown operations.
Infrastructure and Attribution
Cyclops’s infrastructure relies on domain name resolutions for operation, similar to BellaCiao. The malware’s operators control DNS resolutions through operator-owned name servers, allowing them to manage the execution flow.
The infrastructure analysis links Cyclops to Charming Kitten, a group associated with Iran’s Islamic Revolutionary Guard Corps (IRGC). However, more evidence is needed to confirm definitive attribution.
While information about Cyclops’s targets is limited, researchers have identified a non-profit organization in Lebanon and a telecommunications company in Afghanistan as potential victims.
The malware’s limited prevalence suggests it is still in its early stages, but the discovery highlights Charming Kitten’s evolving capabilities and the ongoing threat to cybersecurity in the region.
The discovery of Cyclops underscores the persistent threat posed by advanced persistent threat (APT) groups like Charming Kitten. The malware’s sophisticated design and use of the Go programming language reflect increased proficiency and adaptability among threat actors.
By sharing this research, cybersecurity experts hope to enhance detection and mitigation efforts, curbing the spread of Cyclops and protecting potential targets from future attacks.
This comprehensive analysis of Cyclops provides valuable insights into the malware’s capabilities, infrastructure, and potential impact. As cybersecurity threats evolve, staying informed and vigilant remains crucial in defending against such sophisticated attacks.
Indicators of compromise (IOCs)
Hashes (SHA-256)
fafa68e626f1b789261c4dd7fae692756cf71881c7273260af26ca051a094a69|Cyclops
Domains
autoupdate[.]uk|Cyclops validator
IP Addresses
88.80.145.126|Cyclops SSH C2 and validator NS
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces