Draft:CyberEye RAT

CyberEye is a modular remote access trojan (RAT) developed using the .NET framework. It is designed with a graphical user interface (GUI) builder that allows attackers to generate customized payloads. CyberEye uses the Telegram Bot API as its command-and-control (C2) mechanism and primarily targets Microsoft Windows systems. It is distributed via underground forums, Telegram channels, and public code repositories.

CyberEye enables cybercriminals to create tailored malicious payloads through a user-friendly builder interface. The malware supports a wide range of surveillance and data exfiltration functions, including keystroke logging, file theft, clipboard hijacking, and credential harvesting.

The key capabilities of CyberEye include:

• Keylogging — recording user keystrokes to capture sensitive input
• Screenshot capture — periodic or triggered desktop screenshots
• Clipboard hijacking — including replacement of cryptocurrency wallet addresses to divert funds
• Credential and cookie theft — targeting popular browsers such as Google Chrome, Microsoft Edge, and Brave
• Session data extraction — from messaging and gaming platforms like Telegram, Discord, and Steam
• File collection — from user directories including Desktop and Downloads
• Persistence mechanisms — via Windows Task Scheduler and Registry autorun entries
• Anti-analysis features — detecting virtual machines and sandbox environments to evade detection
• Windows Defender disabling — using PowerShell commands and registry modifications to avoid security tools

CyberEye leverages the Telegram Bot API to communicate with its operators. This approach removes the need for attackers to maintain their own command-and-control servers, enhancing stealth and making traditional network detection methods more difficult.

The malware is typically spread disguised as software updates, cracked applications, or through malicious links shared on messaging platforms such as Telegram, underground forums, and open-source repositories on GitHub. The builder's ease of use allows less technically skilled actors to deploy customized malware payloads.

Security researchers have linked the CyberEye builder to the Telegram aliases "cisamu123" and "CodQu." Publicly accessible versions of the builder and payloads have been discovered on platforms such as GitHub.^[1][2]

In April 2024, cybersecurity firm CYFIRMA published a detailed report outlining CyberEye's builder capabilities, modular architecture, and data exfiltration techniques.^[1] Additional threat intelligence and technical details have been provided by:

• Ampcus Cyber,^[2]
• Broadcom Japan,^[3]
• SecurityOnline.info,^[4]
• IBM X-Force Exchange.^[5]

CyberEye employs several tactics and techniques described in the MITRE ATT&CK framework, including:

• T1059.001 – PowerShell execution
• T1056.001 – Input capture (keylogging)
• T1113 – Screen capture
• T1555 – Credentials from password stores
• T1566 – Phishing via malicious executables
• T1036 – Masquerading (e.g., using names like "chrome update.exe")

Security experts recommend the following measures to defend against CyberEye infections:

• Blocking outbound traffic to Telegram domains using firewall rules or DNS filtering
• Restricting PowerShell execution through Group Policy Objects (GPO)
• Employing application control technologies such as AppLocker or Windows Defender Application Control (WDAC)
• Utilizing behavior-based antivirus and Endpoint Detection and Response (EDR) solutions
• Educating users about the risks of fake software updates and suspicious downloads

Public security investigations have associated the CyberEye builder with the Telegram accounts "cisamu123" and "CodQu," based on analysis of code repositories and Telegram activity. However, these connections are based on open-source intelligence and have not been officially confirmed by law enforcement.

• Remote access trojan
• Telegram Messenger
• Command and control (malware)
• Cybercrime