Ddos 
CyberEye, also known as TelegramRAT, has emerged as a powerful and modular .NET-based remote access trojan (RAT) enabling widespread data theft, surveillance, and persistence on compromised systems. In a recent deep-dive report, cybersecurity firm CYFIRMA warns that the malwareβs streamlined builder, Telegram-based C2, and sophisticated anti-analysis capabilities are rapidly making it a go-to tool for cybercriminals.
The CyberEye malware comes with a GUI-based builder that allows attackers to generate tailored payloads in just a few clicks. This makes it highly accessible to even low-skilled threat actors.
βThe builder framework allows adversaries to configure how the payload behaves once executed on a target machine.β
Options include injecting credentials, enabling keyloggers, clipboard hijacking, and adding persistence mechanisms. Once compiled, the malware can be spread through phishing campaigns or malicious file downloads.
CyberEye is equipped with advanced anti-analysis and sandbox evasion features that allow it to detect and terminate itself in virtualized environments or when debugging tools are active.
βThe malwareβs anti-analysis features are implemented within the persistence classβ¦ It checks for the presence of specific DLLs associated with sandbox environments and inspects system hardware identifiers such as βVirtualBoxβ or βVMwareβ.β
The malware also includes a UAC bypass routine, attempting to relaunch itself with administrative privileges and silently disable Windows Defender using both PowerShell and registry manipulation:
βDisables real-time protection, behaviour monitoring, and on-access scanningβ¦ effectively making the system believe these are administrative decisions.β
CyberEyeβs AutoStealer class orchestrates the data exfiltration process. It loads decryption libraries from GitHub and launches threads to collect data from browsers, communication apps, and file systems:
- Passwords, cookies, credit cards, and browser history from Chromium-based browsers
- Telegram and Discord session data
- FTP credentials from FileZilla
- Steam login configurations and saved files from Desktop
βThe decryption engine is designed specifically to recover encrypted secretsβ¦ using AES-GCM or Windows DPAPI depending on browser version.β
It even monitors the clipboard for cryptocurrency wallet addresses and replaces them with attacker-controlled values, hijacking transactions for Bitcoin, Ethereum, and Monero.
βA Telegram message is then sent containing the original and replaced values, giving the attacker a detailed audit of successful hijack attempts.β
Unlike traditional malware that connects to attacker-controlled infrastructure, CyberEye uses the Telegram Bot API for all its command-and-control communications:
βThe malware maintains a persistent background thread to poll Telegram messages, decode instructions, and pass them to the Commands module for execution.β
This setup allows attackers to receive real-time updates and send instructionsβsuch as activating keyloggers or stealing Wi-Fi credentialsβwithout setting off typical C2 detection alerts.
CyberEye has been openly shared on GitHub and Telegram by actors using aliases @cisamu123 and @CodQu:
βThe GitHub projectβ¦ includes fully working builder code, documentation, and contact information for support. These elements strongly indicate that the tool is intended not only for personal use but for distribution among a wider audience.β
While a free version is available, discussions on Telegram hint at a premium build with expanded capabilities marketed in Russian-language channels.
Related Posts:
- Over 18,000 Devices Compromised in XWorm RAT Builder Campaign
- WordPress.com Launches AI Website Builder for Easy Site Creation
- Zloader Reloaded: Malware Adopts Evasive Anti-Analysis Tactics
- Phishing Campaign Targets European Companies with Fake HubSpot and DocuSign Forms
- CVE-2025-2294 Targets WordPress Plugin with 90,000+ Active Installs
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
