Cyclops: Iranian APT 35 Hackers’ Latest Tool for Network Infiltration

APT 35 Charming Kitten cyclops

Researchers have uncovered a new piece of malware named Cyclops, likely developed by the “Charming Kitten” group (APT 35). This malware first emerged in December 2023 and by 2024 had already begun targeting entities in the Middle East. Cyclops enables attackers to execute commands on infected devices and infiltrate networks for further attacks. The malware is controlled via an HTTP REST API, accessible through an SSH tunnel.

Evidence suggests that Cyclops was designed as a replacement for the previously known BellaCiao malware. This is corroborated by the similarity in both their methods of operation and their targets. The primary capabilities of Cyclops include executing arbitrary commands, manipulating the file system, and using the compromised device to propagate the attack within the network.

Thus far, only a few instances of this malware have been detected, indicating its recent emergence and possibly limited distribution. It is believed that Cyclops has been used in attacks on organizations operating in Lebanon and Afghanistan.

It is noted that the development of Cyclops was completed in December 2023, shortly after the use of BellaCiao ceased. This points to a direct connection between these two malicious programs and their creators.

Researchers believe that Cyclops may represent a new phase in the activities of “Charming Kitten,” a group notorious for its attacks on various targets, including attempts to interfere in U.S. elections. The analysis of Cyclops and its infrastructure provides deeper insight into the actions of this group and aids in countering their emerging threats.

Related Posts: