Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Malware & Threats

Cuttlefish Malware Targets Routers, Harvests Cloud Authentication Data 

Cuttlefish malware platform roaming around enterprise SOHO routers capable of covertly harvesting public cloud authentication data from internet traffic.

Malware hunters at Lumen’s Black Lotus Labs have set eyes on a new malware platform roaming around enterprise-grade and small office/home office (SOHO) routers capable of covertly harvesting public cloud authentication data from internet traffic.

The platform, tagged as Cuttlefish, is designed to steal authentication material found in web requests that transit the router from the adjacent local area network (LAN) and  researchers warn that the attackers have the capability to hijack DNS and HTTP connections to private IP spaces, which are typically associated with communications within an internal network.

According to documentation from Black Lotus Labs, there are code overlaps between Cuttlefish and HiatusRat, a Chinese hacking group previously seen targeting US military networks and organizations in Europe.

“[The] targeting aligns with the interest of the People’s Republic of China. While there is code overlap between these two malware families, we have not observed shared victimology. We assess that these activity clusters are operating concurrently,” Black Lotus Lab said.

The research team said the Cuttlefish malware platform provides “a zero-click approach to capturing data from users and devices behind the targeted network’s edge.”

“Any data sent across network equipment infiltrated by this malware is potentially exposed. What makes this malware family so insidious is the ability to perform HTTP and DNS hijacking for connections to private IP addresses,” the researchers warn. 

“Cuttlefish lies in wait,  passively sniffing packets, acting only when triggered by a predefined ruleset. The packet sniffer used by Cuttlefish was designed to acquire authentication material, with an emphasis on public cloud-based services.”

Black Lotus Labs researchers found that the threat actor exfiltrated data by creating a proxy or VPN tunnel back through a compromised router, then using stolen credentials to access targeted resources. “By sending the request through the router, we suspect the actor can evade  anomalous sign-in based analytics by using the stolen authentication credentials,” the researchers said.

Advertisement. Scroll to continue reading.

According to data tracked by Lumen Technologies, the malware has been active since at least July 2023 with the latest campaign running from October 2023, through April 2024. 

The company found Cuttlefish infections at a pair of telecommunications providers in Turkey with a handful of non-Turkish victims associated with global satellite phone providers, and a potential US-based datacenter.  

Black Lotus Labs believes Cuttlefish represents the latest adaptation in networking equipment-based malware, as it combines multiple attributes. “It has the ability to perform route manipulation,  hijack connections, and employs passive sniffing capability. With the stolen key material, the  actor not only retrieves cloud resources associated with the targeted entity but gains a foothold into that cloud ecosystem.”

The company released indicators of compromise data and notes that the malware uses libpcap to create an extended Berkeley Packet Filter (eBPF) for eavesdropping and hijacking IP ranges. 

Cuttlefish is specifically programed to search for certain credential “markers” traversing the infected network that contain predefined strings like  “username,” “password” or “access_token,” while others were much more targeted like  “aws_secret_key” and “cloudflare_auth_key.” 

Many of the specific markers were associated with cloud-based services like Alicloud, AWS, Digital Ocean, CloudFlare and BitBucket. 

“Capturing credentials in transit could allow the threat actors to copy data from cloud resources that do not have the same type of logging or controls in place as traditional network perimeters,” the researchers warn..

Black Lotus Labs recommends that corporate network defenders hunt for attacks on weak credentials and suspicious login attempts, even when they originate from residential IP addresses which bypass geofencing and ASN-based blocking. 

Network admins should also inspect SOHO devices for abnormal files such as binaries  located in the /tmp directory or rogue iptables entries and implement certificate pinning when remotely connecting to high-value assets, such as cloud assets, to prevent threat actors from being able to hijack connections.  

Related: US Military Targeted in Recent HiatusRAT Attack

Related: Researchers Discover 40,000-Strong EOL Router, IoT Botnet 

Related: US Gov Disrupts Router Botnet Used by Chinese APT Volt Typhoon

Related: Chinese APT Volt Typhoon Linked to Unkillable SOHO Router Botnet

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights