Ddos 
CyberEye, also known as TelegramRAT, has emerged as a powerful and modular .NET-based remote access trojan (RAT) enabling widespread data theft, surveillance, and persistence on compromised systems. In a recent deep-dive report, cybersecurity firm CYFIRMA warns that the malware’s streamlined builder, Telegram-based C2, and sophisticated anti-analysis capabilities are rapidly making it a go-to tool for cybercriminals.
The CyberEye malware comes with a GUI-based builder that allows attackers to generate tailored payloads in just a few clicks. This makes it highly accessible to even low-skilled threat actors.
“The builder framework allows adversaries to configure how the payload behaves once executed on a target machine.”
Options include injecting credentials, enabling keyloggers, clipboard hijacking, and adding persistence mechanisms. Once compiled, the malware can be spread through phishing campaigns or malicious file downloads.
CyberEye is equipped with advanced anti-analysis and sandbox evasion features that allow it to detect and terminate itself in virtualized environments or when debugging tools are active.
“The malware’s anti-analysis features are implemented within the persistence class… It checks for the presence of specific DLLs associated with sandbox environments and inspects system hardware identifiers such as ‘VirtualBox’ or ‘VMware’.”
The malware also includes a UAC bypass routine, attempting to relaunch itself with administrative privileges and silently disable Windows Defender using both PowerShell and registry manipulation:
“Disables real-time protection, behaviour monitoring, and on-access scanning… effectively making the system believe these are administrative decisions.”
CyberEye’s AutoStealer class orchestrates the data exfiltration process. It loads decryption libraries from GitHub and launches threads to collect data from browsers, communication apps, and file systems:
- Passwords, cookies, credit cards, and browser history from Chromium-based browsers
- Telegram and Discord session data
- FTP credentials from FileZilla
- Steam login configurations and saved files from Desktop
“The decryption engine is designed specifically to recover encrypted secrets… using AES-GCM or Windows DPAPI depending on browser version.”
It even monitors the clipboard for cryptocurrency wallet addresses and replaces them with attacker-controlled values, hijacking transactions for Bitcoin, Ethereum, and Monero.
“A Telegram message is then sent containing the original and replaced values, giving the attacker a detailed audit of successful hijack attempts.”
Unlike traditional malware that connects to attacker-controlled infrastructure, CyberEye uses the Telegram Bot API for all its command-and-control communications:
“The malware maintains a persistent background thread to poll Telegram messages, decode instructions, and pass them to the Commands module for execution.”
This setup allows attackers to receive real-time updates and send instructions—such as activating keyloggers or stealing Wi-Fi credentials—without setting off typical C2 detection alerts.
CyberEye has been openly shared on GitHub and Telegram by actors using aliases @cisamu123 and @CodQu:
“The GitHub project… includes fully working builder code, documentation, and contact information for support. These elements strongly indicate that the tool is intended not only for personal use but for distribution among a wider audience.”
While a free version is available, discussions on Telegram hint at a premium build with expanded capabilities marketed in Russian-language channels.
Related Posts:
- Over 18,000 Devices Compromised in XWorm RAT Builder Campaign
- WordPress.com Launches AI Website Builder for Easy Site Creation
- Zloader Reloaded: Malware Adopts Evasive Anti-Analysis Tactics
- Phishing Campaign Targets European Companies with Fake HubSpot and DocuSign Forms
- CVE-2025-2294 Targets WordPress Plugin with 90,000+ Active Installs
Donate