{ "id": "b3703cc5-d4b5-4f86-a634-4d7ee40a5988", "created_at": "2026-04-06T01:32:16.773629Z", "updated_at": "2026-04-10T03:34:00.388541Z", "deleted_at": null, "sha1_hash": "f35ea0e8da49ede774e4d5ae935001edbeb412f1", "title": "Cyclops: a likely replacement for BellaCiao", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 498243, "plain_text": "Cyclops: a likely replacement for BellaCiao\r\nBy Cyber Threat Research Team\r\nPublished: 2024-08-14 · Archived: 2026-04-06 01:27:15 UTC\r\nPublished on 14 August, 2024 19min\r\nIdentifier: TRR240801.\r\nSummary\r\nThis report introduces Cyclops, a newly discovered and previously undocumented malware platform written in Go\r\nwhich dates back to December 2023, and that we believe has been deployed against targets in the Middle-East in\r\n2024. Cyclops allows operators to execute arbitrary commands on the target’s file system, as well as pivot inside\r\nhttps://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/\r\nPage 1 of 15\n\nthe infected network. Notably, Cyclops is controlled through a HTTP REST API which is exposed to operators\r\nwithin an SSH tunnel.\r\nBased on our research, we assess that Cyclops was likely developed as a sucessor to the BellaCiao1 malware. We\r\nattribute this new platform to “Charming Kitten” (also known as APT 35) due to significant overlaps in TTPs and\r\ntargeting. Charming Kitten recently made the headlines due to accusations of attempting to interfere with the US\r\nelections2,.\r\nAs far as we know, there are only a limited number of samples of this family, with evidence suggesting its\r\ndevelopment was completed in December 2023. This recent emergence and limited prevalence indicate that\r\nCyclops may still be in its early stages, and hope that this report allows the community to further detect, analyze\r\nand potentially curb its spread.\r\nBackground\r\nWhile hunting for in-the-wild malicious implants in late July 2024, we identified a poorly detected binary (SHA-256 fafa68e626f1b789261c4dd7fae692756cf71881c7273260af26ca051a094a69 , see Fig. 1) that requested the\r\nresolution of a hostname we could associate with the BellaCiao implant1.\r\nFigure 1 – Poor detection of the identified binary on a public online multiscanner service, as of July\r\n30, 2024\r\nFurther analysing the suspicious binary (see the “Cyclops” title below) and pivoting from related data unveiled\r\nmore ties with BellaCiao and Charming Kitten4-associated activities.\r\nInfection chain\r\nWe miss information about the context under which the identified binary has been deployed.\r\nHowever, from previous reporting1, original name of the identified binary ( Microsoft SqlServer.exe ) as well as\r\nour own experience investigating BellaCiao incidents, we believe with medium confidence that Cyclops could be\r\ndeployed on servers following an exploitation of vulnerable services.\r\nIn particular, we previously analysed infection cases where BellaCiao samples were deployed from ASP .NET\r\nwebshells, following the exploitation of Exchange Web servers vulnerabilities.\r\nAdditionally, because we believe with medium to high confidence that Cyclops is a replacement for BellaCiao, we\r\nalso believe with medium confidence that Cyclops could be deployed from previous BellaCiao infections.\r\nCyclops\r\nhttps://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/\r\nPage 2 of 15\n\nFilename Microsoft SqlServer.exe\r\nCompiler Go 1.22.4\r\nHash (SHA256) fafa68e626f1b789261c4dd7fae692756cf71881c7273260af26ca051a094a69\r\nCyclops, as seemingly named by its authors, is a complex malware platform written in Go language. It aims at\r\nreverse-tunelling a REST API to its command and control (C2) server for the purposes of controlling targeted\r\nmachines. It uses the go-svc library to be able to run as a service if needed, which could be its preferred\r\npersistence method on Windows.\r\nIt allows operators to run arbitrary commands, manipulate the target’s filesystem, and use the infected machine to\r\npivot into the network.\r\nLibraries dependencies and associated versions being embedded in this Go binary sample (at compilation time),\r\none can determine that the newest external dependency for the sample (google/uuid v1.5.0) has been released in\r\nDecember 12, 2023. This indicate that this exact sample development ended in December 2023 at the earliest.\r\nAdditionally, Go compiler version for this sample is set to 1.22.4, which according to the official Go repository,\r\nhas been released in June 4, 2024. This date information indicates that the specific sample we analysed could not\r\nhave been deployed before June 2024.\r\nSSH tunneling\r\nOn startup, the program loads an embedded configuration (encrypted with AES-128 CBC), which contains\r\ninformation about its C2 server and initial connection:\r\n{\r\n \"StartDelay\": 5000,\r\n \"SonarConfigs\": {\r\n \"Cycle\": 1800000,\r\n \"HostName\": \"lialb.autoupdate[.]uk\",\r\n \"HostNameFormat\": \"%s.%s\",\r\n \"ExpectedAddress\": [REDACTED]\r\n },\r\n \"BeamConfigs\": {\r\n \"BeamAgent\": \"SSH-2.2-OpenSSH_for_Windows_8.1\",\r\n \"UserName\": [REDACTED],\r\n \"Password\": [REDACTED],\r\n \"Host\": \"88.80.145[.]126:443\",\r\n \"LocalAddress\": \"127.0.0.1:9090\",\r\n \"RemoteAddress\": \"127.0.30.3:9090\",\r\n \"Retry\": 10\r\n }\r\n}\r\nhttps://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/\r\nPage 3 of 15\n\nAs a possible anti-analysis measure, Cyclops starts by resolving a random “validation” hostname within the\r\nsubdomain of the HostName configuration field (i.e., iuxyf.lialb.autoupdate[.]uk ). If the hostname doesn’t\r\nexist, or doesn’t resolve to an IP address matched by the regular expression contained in ExpectedAddress field,\r\nthe malware enters a sleep cycle and tries again later. Otherwise, the malware starts its built-in HTTPS server, and\r\nforwards the corresponding port to the C2 server via the SSH connection (parameter LocalAddress of the\r\nconfiguration).\r\nLocal HTTPS server\r\nAs part of its startup phase, Cyclops loads a second AES-128-encrypted configuration blob which controls the\r\nbehavior of its internal HTTPS server:\r\n{\r\n \"BindAddress\": \"127.0.0.1:55561\",\r\n \"TLS\":\r\n {\r\n \"CertPEMBlock\": [base64-encoded certificate],\r\n \"KeyPEMBlock\": [base64-encoded key]\r\n },\r\n \"Users\": {\r\n \"[REDACTED username]\": \"[REDACTED SHA-256 hash]\"\r\n }\r\n}\r\nThe developers use a modified version of the gorilla/mux package to handle incoming HTTPS requests coming\r\nvia Go’s build-in net/http web server. The server starts listening on the BindAddress using the TLS certificate\r\nand key provided in the configuration.\r\nOne of the main changes made to gorilla/mux was adding support for basic HTTP authentication. This feature\r\nwas manually implemented so that only requests containing the credentials in the Users section of the\r\nconfiguration are accepted. It is worth noting that their implementation is not RFC-compliant as the credentials are\r\nnot base64-encoded. The header expected by Cyclops looks like:\r\nAuthorization: Basic username:cleartextpassword\r\n…instead of:\r\nAuthorization: Basic dXNlcm5hbWU6Y2xlYXJ0ZXh0cGFzc3dvcmQ=\r\nThe (self-signed) TLS certificate bundled with this implant has the following characteristics, confirming a likely\r\nend of development in December 2023:\r\nSerial Number: 9e:22:f8:bb:63:88:5e:d0:71:8f:f6:61:7c:17:ec:e5\r\nSignature Algorithm: sha256WithRSAEncryption\r\nhttps://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/\r\nPage 4 of 15\n\nIssuer: O=mkcert development CA, OU=deathpact@fedora (DeathPact), CN=mkcert deathpact@fedora (DeathPact)\r\n...\r\nValidity\r\n Not Before: Dec 20 09:22:46 2023 GMT\r\n Not After : Mar 20 08:22:46 2026 GMT\r\nREST API control channel\r\nFinally, as the HTTPS service becomes reachable through the SSH tunnel, it may start receiving orders from the\r\noperators on a single endpoint: /api/v3/update . Only POST requests are accepted and the payload must be\r\nplaced in a multipart file named resume . Cyclops relies on a custom protocol which can be broken down like so:\r\nSize (bytes) Name (ours) Description\r\n36   Unused\r\n4 command_description_size Size of the next field (network byte order)\r\ncommand_description_size command_description\r\nThe requested command passed as a JSON\r\nobject\r\nUntil the end of the packet command_arguments\r\nThe parameters to give to the command, also\r\nas a JSON object\r\nThe command_description field is a simple object of the following format:\r\n{\r\n \"type\": \"test\"|\"review\"|\"storage\"|\"upload\"|\"download\"|\"pf\"|\"server\",\r\n \"syncresult\": true|false\r\n}\r\nWhen Cyclops receives such requests, it uses type as a key in a map of all available command handlers. For\r\ninstance, the type download will cause an instance of APIDownload to be created, and its method Update to be\r\ninvoked receiving command_arguments as an argument. The second parameter, syncresult , controls whether\r\nthe client expects a synchronous or asynchronous response ; for more details about this feature, see the description\r\nof the storage command below.\r\nA high-level description of the available commands follows:\r\nhttps://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/\r\nPage 5 of 15\n\nType Description\r\ntest\r\nDoes nothing, and in fact crashes the worker because the developers failed to initialize the\r\nobject containing the response, leading to a nil dereference.\r\nreview Arbitrary command execution with Go’s os.exec package.\r\nstorage Controls the in-memory store containing the results of asynchronous commands.\r\nupload Sends a file to the targeted machine.\r\ndownload Retrieves a file from the targeted machine.\r\npf Sets up port forwarding via SSH tunnels. Should be run asynchronously or hangs the worker.\r\nserver Waits 5 seconds and shuts the HTTPS server down.\r\nAfter executing a command, Cyclops returns two objects in JSON format. The first one represents the API result\r\n(whether the command failed, start and end time, response size, etc.) as well as a command-specific result object\r\ncontaining the actual response. An example API result would be:\r\n{\r\n \"ISerialize\":null,\r\n \"uuid\":\"650ee54f-558e-11ef-8ddb-000c29fbee52\",\r\n \"isDeferred\":true,\r\n \"status\":0,\r\n \"fileSize\":148,\r\n \"currentSize\":148,\r\n \"hasError\":false,\r\n \"error\":\"%!s(u003cnilu003e)\",\r\n \"type\":\"review\",\r\n \"startDate\":\"2024-08-08T13:59:17.3233476Z\",\r\n \"doneDate\":\"2024-08-08T13:59:17.4461401Z\",\r\n \"done\":true\r\n}\r\nMost fields are either self-explanatory or irrelevant. The UUID is not a target identifier but a GUID generated for\r\neach request using the google/uuid package, used to retrieve asynchronous command results. A sample Python\r\nscript which can be used to interact with a running instance of Cyclops is provided in Appendix.\r\nReview command\r\nThe review command, providing command execution, expects the following parameters:\r\nName Description\r\ndir The directory containing the program to execute\r\nhttps://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/\r\nPage 6 of 15\n\nName Description\r\nfile The name of the executable to run\r\ntimeout Maximum time to wait for the program’s termination\r\nargs A list of strings to be used as arguments for the program\r\nenvs A dictionary of environment variables to provide to the progam\r\nResults are returned in the following format:\r\nName Description\r\ncode Exit code of the program\r\nout\r\nA list containing the output of the program executed. Each entry represents a single line and is a\r\ndictionary with two keys: time (timestamp at which the line was captured) and content (the\r\ncorresponding data). See example below.\r\nerr An error that occurred, or null\r\npid The PID of the program that was executed\r\nisDone Whether the program is finished running\r\nTo clarify the structure of the out value, sample output for the execution of cmd.exe is reproduced here:\r\n{\r\n // [...]\r\n \"out\": [\r\n {\r\n \"time\":\"2024-08-08T13:59:17.4345436Z\",\r\n \"content\":\"Microsoft Windows [Version 10.0.19044.2251]\"\r\n },\r\n {\r\n \"time\":\"2024-08-08T13:59:17.4345436Z\",\r\n \"content\":\"(c) Microsoft Corporation. All rights reserved.\"\r\n }\r\n // ...\r\n ]\r\n // [...]\r\n}\r\nDownload command\r\nhttps://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/\r\nPage 7 of 15\n\nA command used to send a file from the infected machine to the C2 server. This command only requires a simple\r\nargument in the form of:\r\n{\r\n \"path\": \"[Local file to send to the C2]\"\r\n}\r\nThe response contains the two usual JSON objects (API response and command response) which do not contain\r\nany information of particular interest. The raw bytes of the requested file is placed right after them:\r\nSize Name (ours) Description\r\n4 api_result_size Size of the API response in bytes, network order\r\napi_result_size api_response\r\nJSON object representing the status of the API request\r\n(see above)\r\n4 command_result_size\r\nSize of the command response in bytes, network order.\r\nThis field is omitted in all other commands.\r\ncommand_result_size command_result\r\nJSON object representing the command result: whether\r\nit was successful, the path of the requested file, etc.\r\nUntil the end of the file data\r\nRaw bytes of the requested file. This field is omitted in\r\nall other commands.\r\nUpload command\r\nWrites an arbitrary file on the infected machines’s filesystem. The expected command argument is:\r\n{\r\n \"path\": \"[Path to where the file should be written]\"\r\n}\r\nSince this command needs to receive arbitrary data to write into the file, it expects a slightly different command\r\ndescription format that allows it to find the offset of the file data:\r\nSize (bytes) Name (ours) Description\r\n36   Unused\r\n4 command_description_size\r\nSize of the next field\r\n(network byte order)\r\nhttps://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/\r\nPage 8 of 15\n\nSize (bytes) Name (ours) Description\r\ncommand_description_size command_description\r\nThe requested command\r\npassed as a JSON object\r\n4 optional_command_args_size\r\nSize of the next field\r\n(network byte order).\r\noptional_command_args_size\r\nThe parameters to give to the command,\r\nalso as a JSON object\r\nUntil the end of the packet payload\r\nRaw bytes of the file to\r\nwrite.\r\nThe responses produced by this command does not contain any particularly noteworthy information.\r\nStorage command\r\nCommands submitted to Cyclops can either be synchronous (the client waits until a result is returned), or\r\nasynchronous (the clients receives a GUID corresponding to the request and polls until a result becomes\r\navailable). Asynchronous jobs get tracked via an in-memory registry which keeps a record of the ongoing jobs\r\nbased on their UUID and their status. A worker checks every 5 seconds if a finished job is more than 5 minutes\r\nold, and if so, deletes it from the registry.\r\nThe command allows operators to check the contents of the registry and obtain results for finished commands. Its\r\nparameters are:\r\n{\r\n \"type\": \"[Subcommand type]\",\r\n \"args\": \"\"\r\n}\r\nThe list subcommand doesn’t require any arguments and simply returns the contents of the registry in a\r\nreponse object such as:\r\n{\r\n \"ISerialize\":null,\r\n \"items\": [\r\n {\r\n \"ISerialize\":null,\r\n \"uuid\":\"3966c1ea-568c-11ef-b418-000c29fbee52\",\r\n \"isDeferred\":true,\r\n \"status\":0,\r\n \"fileSize\":149,\r\n \"currentSize\":149,\r\nhttps://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/\r\nPage 9 of 15\n\n\"hasError\":false,\r\n \"error\":\"%!s(u003cnilu003e)\",\r\n \"type\":\"review\",\r\n \"startDate\":\"2024-08-09T20:16:15.3046826Z\",\r\n \"doneDate\":\"2024-08-09T20:16:15.3933832Z\",\r\n \"done\":true\r\n },\r\n // ...\r\n ]\r\n}\r\nThe update subcommand returns the result associated with a given UUID; args should be a JSON object like\r\n{\"id\": \"UUID\"} . If the corresponding UUID is found in the store, Cyclops returns the result of that\r\nasynchronous command. Finally, the kill subcommand terminates a worker that still hasn’t produced a result.\r\nPf (port-forwarding) command\r\nA command to forward TCP ports via SSH tunnels, matching the semantics of the -R or -L options of SSH.\r\n{\r\n \"serverAddr\": \"[The server to connect to, in the form IP:port]\",\r\n \"direction\": \"L\"|\"R\", // For local or remote forwarding.\r\n \"userName\": \"[The username used to log into the server]\",\r\n \"password\": \"[The password used to log into the server]\",\r\n \"localAddr\": \"[The address to use on the infected machine]\",\r\n \"remoteAddr\": \"[The address to use on the C2]\"\r\n}\r\nFor instance, the arguments:\r\n{\r\n // [...]\r\n \"direction\": \"L\",\r\n \"localAddr\": \"127.0.0.1:9091\",\r\n \"remoteAddr\": \"127.0.0.1:9092\"\r\n}\r\n…would allow the infected machine to connect to any service listening on the remote host’s port 9092 by\r\nconnecting to 127.0.0.1:9091 .\r\nServer command\r\nThis command doesn’t take any arguments (despite traces in the code of receiving type and args like\r\nstorage ) and simply shuts the HTTPS server down after 5 seconds. We were not able to identify any way to\r\nrestart it afterwards, the command and control channel becoming unavailable at the same time as the web server.\r\nhttps://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/\r\nPage 10 of 15\n\nWe speculate this is a broader reconfiguration command for the webserver that is still under implementation.\r\nInfrastructure\r\nThe identified Cyclops sample caught our attention because it requires the resolution of a hostname ( \u003crandom\r\nletters\u003e.lialb.autoupdate[.]uk ) from the autoupdate[.]uk domain, which in turns uses the glued\r\n88.80.145[.]126 IP as authoritary name server (NS) since mid-May 2023. This last IP was also associated with\r\nthe NS of a publicly documented1 BellaCiao C2 domain ( mail-updateservice[.]info ).\r\nWe particularly looked at NS records and associated IP addresses, given both Cyclops and BellaCiao rely on DNS\r\nresolutions as a validation flag to continue running. This implies operators must control DNS resolutions for\r\nassociated domains – which can be easily done with operator-owned NS servers.\r\nDomain Registration NS\r\nautoupdate[.]uk (Cyclops\r\nvalidator)\r\nNameSilo\r\n(2023-04-26)\r\nns1 and ns2.autoupdate[.]uk , resolves to\r\n88.80.145[.]126 (ASN 44901 – Belcloud) since\r\n2023-05-19.\r\nmail-updateservice[.]info\r\n(Publicly known BellaCiao C2)\r\nNameSilo\r\n(2022-12-24)\r\nns1 and ns2.mail-updateservice[.]info ,\r\nresolved to 88.80.145[.]126 (ASN 44901 –\r\nBelcloud) from 2023-08-28 to 2023-12-23.\r\nPivoting from 88.80.145[.]126 , we identified additional and possibly linked IP addresses and domains.\r\nDomain/IP Details\r\n88.80.145[.]93\r\nASN 44901 – Belcloud. Same (self-signed) TLS certificate as\r\n88.80.145[.]126 for the RDP service.\r\n88.80.145[.]122\r\nASN 44901 – Belcloud. Same services on the same unusual ports as\r\n88.80.145[.]126 . Resolution for NS of known BellaCiao validator domains\r\n(such as maill-support[.]com , twittsupport[.]com and msn-service[.]co ), starting 2022-11-25.\r\n88.80.145[.]137\r\nASN 44901 – Belcloud. Resolution for ns1 and\r\nns2.freeheadlines[.]top , between 2024-02-01 and 2024-03-14.\r\n88.80.145[.]132\r\nASN 44901 – Belcloud. Resolution for ns1 and\r\nns2.servicechecker[.]top , between 2023-06-07 and 2024-03-06.\r\nservicechecker[.]top\r\nRegistered at NameSilo (2023-06-07), also using IP 88.80.145[.]126 as NS\r\n(starting 2024-03-09).\r\nservicesupdate[.]info Registered at NameSilo (2023-04-26), also using IP 88.80.145[.]126 as NS\r\n(from 2023-05-15 to 2024-04-18). Domain name looks like a known\r\nhttps://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/\r\nPage 11 of 15\n\nDomain/IP Details\r\nBellaCiao validator ( mail-updateservice[.]info ).\r\nmail-update[.]info\r\nRegistered at NameSilo (2022-12-24), also using IP 88.80.145[.]126 as NS\r\n(from 2023-08-28 to 2023-12-23). Domain name looks like known BellaCiao\r\nvalidator ( mailupdate[.]info ).\r\nfreeheadlines[.]top\r\nRegistered at NameSilo (2024-02-01), using IP 88.80.145[.]122 as NS\r\n(from 2024-03-16 to 2024-07-26).\r\nservicepackupdate[.]info\r\nRegistered at NameSilo (2023-05-22), using IP 88.80.145[.]122 as NS\r\n(from 2023-05-23 to 2024-05-20).\r\nsystemupdate[.]info\r\nRegistered at NameSilo (2023-05-22), using IP 88.80.145[.]122 as NS\r\n(from 2023-05-22 to 2024-04-25).\r\nTargets\r\nAs we initially identified a single sample of the Cyclops implant from an online multiscanner service, we have\r\nvery limited information about Cyclops targets.\r\nWe noticed that publicly available and documented BellaCiao samples or associated C2 infrastructure always\r\ncontained information about associated targets (such as names, domain names or IP addresses).\r\nAnalyzing Cyclops and associated infrastructure while considering the operators and developers may have\r\nfollowed the same practice, we determined with medium to high confidence that Cyclops targeted a non-profit\r\norganization which supports innovation and entrepreneurship in Lebanon, as well as a telecommunication\r\ncompany in Afghanistan.\r\nAttribution\r\nWe first decided to focus on the Cyclops sample because the associated domain could be linked with known\r\nBellaCiao infrastructure, as we demonstrated in a previous title.\r\nWhile analyzing Cyclops, we noticed other similarities with publicly documented BellaCiao samples and related\r\nactivities:\r\nBoth Cyclops and BellaCiao use a hostname resolution result to control implants execution flow, and both\r\nimplants generate hostnames containing random caracters and a target-specific explicit identifier;\r\nBoth implants aim at starting a malicious HTTP service for the operators to send commands (dropped\r\nWebshell or PowerShell payload for BellaCiao, embedded service for Cyclops). The HTTP services are\r\nadditionally exposed on unusual high port numbers, and executing commands through such services is\r\npassword-protected;\r\nImplant filenames (poorly) impersonate server or update services (such as Exchange Agent Diagnostic\r\nServices.exe for BellaCiao, Microsoft SqlServer.exe for Cyclops);\r\nhttps://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/\r\nPage 12 of 15\n\nBoth implants’ operators rely on SSH tunnels (embedded feature for Cyclops, additional tools such as Plink\r\nrequired for BellaCiao) to access created HTTP services on targeted computers;\r\nLast but not least, both implants’ operators use the same usernames and/or passwords as part of their HTTP\r\nor SSH services access control.\r\nAdditionaly, we determined that the development for the Cyclops sample that we identified likely ended in late\r\n2023, while to the best of our knowledge, BellaCiao usage seemingly stopped between late June 2023 and\r\nDecember 2023. As a result, we believe with medium to high confidence that Cyclops is a replacement for\r\nBellaCiao, and is likely developed and/or operated by the same threat actor.\r\nBellaCiao has been publicly associated with Charming Kitten1,5. We notice that both BellaCiao and Cyclops\r\noperators indeed rely on practices which are leveraged by other threat actors in the “Kitten” family, and that\r\nCyclops targets we know of could match Islamic Revolutionary Guard Corps’ (IRGC) interests: extending Iran’s\r\ninfluence across the Middle East (and beyond), including in Lebanon, where Hezbollah, Iran’s close ally, operates\r\nfrom.\r\nHowever, related practices (such as network communication tunneling, custom implants, and HTTP services\r\nusage) are quite common for many threat actors. While these align with known tactics of the “Kitten” family of\r\nthreat actors, they are not unique to this group. Furthermore, the two targets we identified are not enough to\r\nestablish any clear victimology focus or definitively attribute these actions to the IRGC. More data and evidence\r\nwould be needed to draw firmer conclusions about the threat actor’s identity and motivations.\r\nConclusion\r\nThis research shows an increase in proficiency for Charming Kitten, with the discovery of a new and well-designed malware platform. Following publications on BellaCiao, we believe the threat actor took action and\r\nstarted developing new malware to replace their burnt tools – thus confirming the impact of threat intelligence on\r\nadversary operations.\r\nThe choice of Go for the Cyclops malware has a few implications. Firstly, it confirms the popularity of this\r\nlanguage among malware developers. Secondly, the initially low number of detections for this sample indicates\r\nthat Go programs may still represent a challenge for security solutions. And finally, it is possible that MacOS and\r\nLinux variants of Cyclops were also created from the same codebase and that we have yet to find them.\r\nOverall, based on our investigations, the prevalence of Cyclops appears to be highly limited at present. By\r\nreleasing this research, we aim to enable the broader community to identify additional samples and potentially\r\ndiscover more about the scope of Charming Kitten’s recent operations.\r\nAppendix\r\nIndicators of compromise (IOCs)\r\nAssociated IOCs are also available on our GitHub repository.\r\nHashes (SHA-256)\r\nhttps://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/\r\nPage 13 of 15\n\nfafa68e626f1b789261c4dd7fae692756cf71881c7273260af26ca051a094a69|Cyclops\r\nDomains\r\nautoupdate[.]uk|Cyclops validator\r\nIP Addresses\r\n88.80.145.126|Cyclops SSH C2 and validator NS\r\nURLs\r\nhxxps://127.0.0.1:55561/api/v3/update|Cyclops REST API endpoint\r\nPossibly associated domains\r\nservicechecker[.]top|Possible BellaCiao or Cyclops validator\r\nservicesupdate[.]info|Possible former BellaCiao or Cyclops validator\r\nmail-update[.]info|Possible former BellaCiao or Cyclops validator\r\nfreeheadlines[.]top|Possible former BellaCiao or Cyclops validator\r\nservicepackupdate[.]info|Possible former BellaCiao or Cyclops validator\r\nsystemupdate[.]info|Possible former BellaCiao or Cyclops validator\r\nPossibly associated IP Addresses\r\n88.80.145[.]93|Possible BellaCiao or Cyclops infrastructure\r\n88.80.145[.]122|Possible BellaCiao or Cyclops infrastructure\r\n88.80.145[.]137|Possible former BellaCiao or Cyclops infrastructure\r\n88.80.145[.]132|Possible former BellaCiao or Cyclops infrastructure\r\nYara rules\r\nrule charmingkitten_cyclops\r\n{\r\n meta:\r\n description = \"Detects Cyclops Golang Malware\"\r\n references = \"TRR240801\"\r\n hash = \"fafa68e626f1b789261c4dd7fae692756cf71881c7273260af26ca051a094a69\"\r\n date = \"2024-08-05\"\r\n author = \"HarfangLab\"\r\nhttps://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/\r\nPage 14 of 15\n\ncontext = \"file\"\r\n strings:\r\n $go = \" Go build ID: \\\"\" ascii\r\n $a1 = \"dep\\tback-service\\t(devel)\" ascii fullword\r\n $a2 = \"/brain-loader-enc.gox00\" ascii\r\n $a3 = \"back-service/go-mux/api\" ascii\r\n $a4 = \"/JD-M42KItJncJfqb38qh/\" ascii\r\n condition:\r\n filesize \u003e 2MB and filesize \u003c 20MB\r\n and (uint16(0) == 0x5A4D)\r\n and $go\r\n and (2 of ($a*))\r\n}\r\nSuricata rules\r\nalert tcp $EXTERNAL_NET any -\u003e $HOME_NET [80,443,1024:] (msg:\"Invalid RFC7617 Basic Auth in HTTP POST\"; flow:es\r\nalert tcp $EXTERNAL_NET any -\u003e $HOME_NET [80,443,1024:] (msg:\"Cyclops HTTP API Request\"; flow:established,to_ser\r\nPython script to interact with Cyclops\r\nThe associated Python code snippet is  available on our GitHub repository.\r\n1. https://www.bitdefender.com/blog/businessinsights/unpacking-bellaciao-a-closer-look-at-irans-latest-malware/ ↩ ↩ ↩ ↩ ↩\r\n2. https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/5bc57431-a7a9-49ad-944d-b93b7d35d0fc.pdf ↩\r\n3. https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ ↩\r\n4. https://securelist.com/apt-trends-report-q3-2023/110752/ ↩\r\nSource: https://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/\r\nhttps://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://harfanglab.io/insidethelab/cyclops-replacement-bellaciao/" ], "report_names": [ "cyclops-replacement-bellaciao" ], "threat_actors": [ { "id": "82b92285-4588-48c9-8578-bb39f903cf62", "created_at": "2022-10-25T15:50:23.850506Z", "updated_at": "2026-04-10T02:00:05.418577Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "Charming Kitten" ], "source_name": "MITRE:Charming Kitten", "tools": [ "DownPaper" ], "source_id": "MITRE", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "029625d2-9734-44f9-9e10-b894b4f57f08", "created_at": "2023-01-06T13:46:38.364105Z", "updated_at": "2026-04-10T02:00:02.944092Z", "deleted_at": null, "main_name": "Charming Kitten", "aliases": [ "iKittens", "Group 83", "NewsBeef", "G0058", "CharmingCypress", "Mint Sandstorm", "Parastoo" ], "source_name": "MISPGALAXY:Charming Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "f87ef0bf-0574-492f-aebc-63e5953938e2", "created_at": "2024-11-23T02:00:04.116692Z", "updated_at": "2026-04-10T02:00:03.779803Z", "deleted_at": null, "main_name": "Gorilla", "aliases": [], "source_name": "MISPGALAXY:Gorilla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439136, "ts_updated_at": 1775792040, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f35ea0e8da49ede774e4d5ae935001edbeb412f1.pdf", "text": "https://archive.orkl.eu/f35ea0e8da49ede774e4d5ae935001edbeb412f1.txt", "img": "https://archive.orkl.eu/f35ea0e8da49ede774e4d5ae935001edbeb412f1.jpg" } }