Cyclops is a newly discovered, previously undocumented Go-based malware platform assessed to have been developed no earlier than December 2023 and deployed against targets in the Middle East in 2024. It provides arbitrary command execution, file upload and download, filesystem manipulation, and SSH-based port forwarding to enable lateral movement and network pivoting inside victim environments. The malware is controlled through a local HTTPS REST API that is exposed to operators via an SSH tunnel. It uses an embedded AES-128-CBC-encrypted configuration, performs a DNS-based validation step by resolving random subdomains under lialb.autoupdate[.]uk and comparing the result against an expected address pattern, and if validation succeeds starts an internal HTTPS server on 127.0.0.1:55561 using bundled TLS material. Reported operator functionality includes commands such as review for command execution, upload, download, pf for port forwarding, storage for asynchronous job/result handling, and server for shutdown. The malware reportedly uses the go-svc library to run as a service, which may support persistence on Windows. Cyclops is assessed as likely a successor to BellaCiao based on infrastructure and behavioral overlaps, and is attributed with medium-to-high confidence to Charming Kitten (APT35). Reported targeting includes a non-profit supporting innovation and entrepreneurship in Lebanon and a telecommunications company in Afghanistan. Noted infrastructure and indicators include SSH host 88.80.145[.]126:443, forwarding addresses 127.0.0.1:9090 and 127.0.30.3:9090, the autoupdate[.]uk infrastructure cluster, and a poorly detected sample with SHA-256 fafa68e626f1b789261c4dd7fae692756cf71881c7273260af26ca051a094a69 and original filename "Microsoft SqlServer.exe".
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"This report introduces Cyclops, a newly discovered and previously undocumented malware platform written in Go... Cyclops allows operators to execute arbitrary commands on the target’s file system, as well as pivot inside the infected network."
14 distinct techniques documented for this family, organized by ATT&CK tactic.
"Cyclops is controlled through a HTTP REST API" and endpoint "/api/v3/update" over HTTPS with custom multipart payloads.
"upload Writes an arbitrary file on the infected machines’s filesystem."
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Go-based malware platform that establishes an SSH tunnel to expose a local HTTPS REST API for operator control. Supports arbitrary command execution, file upload/download, port-forwarding, and can run as a Windows service for persistence.
RaaS program referenced as bundling a custom infostealer within the affiliate kit to support ransomware operations (as described).
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.