Insights, news, education and announcements from PolySwarm

Cuttlefish Targeting SOHO Routers

Written by The Hivemind | May 10, 2024 6:07:32 PM

Related Families: HiatusRat
Targeted Verticals: Telecommunications, Various

Executive Summary

Cuttlefish is a recently discovered modular malware platform observed targeting networking equipment, including enterprise grade SOHO routers.

Key Takeaways

  • Cuttlefish is a recently discovered modular malware platform observed targeting networking equipment, including enterprise grade SOHO routers. 
  • Cuttlefish has been active in the wild since at least July 2023, and the most recent known Cuttlefish campaign occurred from October 2023 to April 2024. 
  • Cuttlefish allows threat actors to monitor traffic and steal authentication from web requests sent through the router from the LAN using a zero-click approach.
  • Cuttlefish also has the ability to hijack both DNS and HTTP for connections to private IP space. 

What is Cuttlefish?

Cuttlefish is a recently discovered modular malware platform observed targeting networking equipment, including enterprise grade SOHO routers. The activity associated with Cuttlefish began as early as July 2023. A majority of the infections affected entities in Turkey, with telecommunications being the only specified vertical affected. The most recent known Cuttlefish campaign occurred from October 2023 to April 2024. Lumen recently reported on Cuttlefish. 

Cuttlefish has both a sniffer function and a hijack function. Cuttlefish allows threat actors to monitor traffic and steal authentication from web requests sent through the router from the LAN using a zero-click approach. According to Lumen, what makes Cuttlefish so insidious is that it also has the ability to hijack both DNS and HTTP for connections to private IP space. It can interact with other LAN-based devices to move data or introduce new agents. 

While the initial access vector is unknown, once threat actors gain a foothold in the victim network, they deploy a bash script to gather host data and exfiltrate this data to the C2. The script then downloads and executes the appropriate Cuttlefish payload, based on the router’s architecture. 

Cuttlefish passively sniffs network packets and uses an extended Berkeley Packet Filter to look for authentication data associated with cloud based services, including Alicloud, Amazon Web Services (AWS), Digital Ocean, CloudFlare, and Bitbucket. Cuttlefish acts as a proxy and a VPN to transmit any captured data through the victim router, allowing threat actors to use the stolen credentials. 

Lumen noted an apparent code overlap between Cuttlefish and HiatusRat. HiatusRat is a malware that targets routers and is used for espionage activities. Researchers have linked HiatusRat to unnamed China nexus threat actors. While Cuttlefish and HiatusRat do not seem to share victimology, they do appear to be concurrently active. 


PolySwarm has multiple samples of Cuttlefish.











You can use the following CLI command to search for all Cuttlefish samples in our portal:

$ polyswarm link list -f Cuttlefish


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at | Check out our blog | Subscribe to our reports.