Charming Kitten Replaces Bellaciao Malware With Cyclops
The Charming Kitten threat group (APT35) was found using the Cyclops backdoor against targets in the Middle East in 2024. Cyclops, written in Go, enables the execution of arbitrary commands on a target's system and allows lateral movement within the network. The malware is controlled via an HTTP REST API accessed through an SSH tunnel. Cyclops appears to be a successor to the BellaCiao malware, sharing similar TTPs and targets. It uses the go-svc library to run as a service on Windows, likely for persistence.