Researchers have recently identified a new malicious software known as Cyclops, suspected to be developed by the infamous “Charming Kitten” group (APT 35). This software first surfaced in December 2023 and has already been utilized in attacks against targets in the Middle East in 2024. Cyclops enables attackers to execute commands on infected devices and infiltrate networks for subsequent attacks. The malware is managed through the HTTP REST API, which can be accessed via SSH-tunnel.
Analysis indicates that Cyclops was likely designed as a successor to the previously known malicious software Bellaciao. This hypothesis is supported by the similarity in their operating methods and objectives. Key features of Cyclops include the ability to run arbitrary commands, manipulate the file system, and leverage infected devices to propagate attacks within networks.
While only a small number of instances of Cyclops have been detected so far, suggesting its recent emergence and potentially limited dissemination, it is believed that the software has been employed in attacks against organizations in Lebanon and Afghanistan.
Interestingly, the development of Cyclops ceased in December 2023, shortly after the discontinuation of Bellaciao’s usage. This timeline implies a direct link between the two malicious programs and their creators.
Researchers speculate that Cyclops represents a new phase in the activities of Charming Kitten, a group known for its diverse range of attacks, including efforts to interfere in US elections. By studying Cyclops and its underlying infrastructure, experts aim to enhance their understanding of the group’s tactics and enhance defenses against its evolving threats.