Draft:CyberEye RAT

Submission declined on 22 June 2025 by Rambley (talk).

This draft's references do not show that the subject qualifies for a Wikipedia article. In summary, the draft needs multiple published sources that are:

in-depth (not just passing mentions about the subject)
reliable
secondary
independent of the subject

Make sure you add references that meet these criteria before resubmitting. Learn about mistakes to avoid when addressing this issue. If no additional references exist, the subject is not suitable for Wikipedia.

If you would like to continue working on the submission, click on the "Edit" tab at the top of the window.
If you have not resolved the issues listed above, your draft will be declined again and potentially deleted.
If you need extra help, please ask us a question at the AfC Help Desk or get live help from experienced editors.
Please do not remove reviewer comments or this notice until the submission is accepted.

Where to get help

If you need help editing or submitting your draft, please ask us a question at the AfC Help Desk or get live help from experienced editors. These venues are only for help with editing and the submission process, not to get reviews.
If you need feedback on your draft, or if the review is taking a lot of time, you can try asking for help on the talk page of a relevant WikiProject. Some WikiProjects are more active than others so a speedy reply is not guaranteed.

How to improve a draft

Wikipedia:Contributing to Wikipedia – a basic overview on how to edit Wikipedia.
Help:Wikitext – how to use the markup
Help:Referencing for beginners – how to include references
Wikipedia:Article development – how to develop your article
Wikipedia:Writing better articles – how to improve your article
Wikipedia:Verifiability – make sure your article includes reliable third-party sources

You can also browse Wikipedia:Featured articles and Wikipedia:Good articles to find examples of Wikipedia's best writing on topics similar to your proposed article.

Improving your odds of a speedy review

To improve your odds of a faster review, tag your draft with relevant WikiProject tags using the button below. This will let reviewers know a new draft has been submitted in their area of interest. For instance, if you wrote about a female astronomer, you would want to add the Biography, Astronomy, and Women scientists tags.

Add tags to your draft

Editor resources

Easy tools: Citation bot (help) | Advanced: Fix bare URLs

Declined by Rambley 2 seconds ago. Last edited by Rambley 2 seconds ago. Reviewer: Inform author.

Resubmit

Please note that if the issues are not fixed, the draft will be declined again.

CyberEye is a modular remote access trojan (RAT) developed using the .NET framework. It is designed with a graphical user interface (GUI) builder that allows attackers to generate customized payloads. CyberEye uses the Telegram Bot API as its command-and-control (C2) mechanism and primarily targets Microsoft Windows systems. It is distributed via underground forums, Telegram channels, and public code repositories.

Overview

CyberEye enables cybercriminals to create tailored malicious payloads through a user-friendly builder interface. The malware supports a wide range of surveillance and data exfiltration functions, including keystroke logging, file theft, clipboard hijacking, and credential harvesting.

Features

The key capabilities of CyberEye include:

Keylogging — recording user keystrokes to capture sensitive input
Screenshot capture — periodic or triggered desktop screenshots
Clipboard hijacking — including replacement of cryptocurrency wallet addresses to divert funds
Credential and cookie theft — targeting popular browsers such as Google Chrome, Microsoft Edge, and Brave
Session data extraction — from messaging and gaming platforms like Telegram, Discord, and Steam
File collection — from user directories including Desktop and Downloads
Persistence mechanisms — via Windows Task Scheduler and Registry autorun entries
Anti-analysis features — detecting virtual machines and sandbox environments to evade detection
Windows Defender disabling — using PowerShell commands and registry modifications to avoid security tools

Command and Control

CyberEye leverages the Telegram Bot API to communicate with its operators. This approach removes the need for attackers to maintain their own command-and-control servers, enhancing stealth and making traditional network detection methods more difficult.

Distribution

The malware is typically spread disguised as software updates, cracked applications, or through malicious links shared on messaging platforms such as Telegram, underground forums, and open-source repositories on GitHub. The builder's ease of use allows less technically skilled actors to deploy customized malware payloads.

Attribution

Security researchers have linked the CyberEye builder to the Telegram aliases "cisamu123" and "CodQu." Publicly accessible versions of the builder and payloads have been discovered on platforms such as GitHub.^[1]^[2]

Technical Analysis

In June 2025, cybersecurity firm CYFIRMA published a detailed report outlining CyberEye's builder capabilities, modular architecture, and data exfiltration techniques.^[1] Additional threat intelligence and technical details have been provided by:

Ampcus Cyber,^[2]
Broadcom Japan,^[3]
SecurityOnline.info,^[4]
IBM X-Force Exchange.^[5]

MITRE ATT&CK Techniques

CyberEye employs several tactics and techniques described in the MITRE ATT&CK framework, including:

T1059.001 – PowerShell execution
T1056.001 – Input capture (keylogging)
T1113 – Screen capture
T1555 – Credentials from password stores
T1566 – Phishing via malicious executables
T1036 – Masquerading (e.g., using names like "chrome update.exe")

Mitigation and Defense

Security experts recommend the following measures to defend against CyberEye infections:

Blocking outbound traffic to Telegram domains using firewall rules or DNS filtering
Restricting PowerShell execution through Group Policy Objects (GPO)
Employing application control technologies such as AppLocker or Windows Defender Application Control (WDAC)
Utilizing behavior-based antivirus and Endpoint Detection and Response (EDR) solutions
Educating users about the risks of fake software updates and suspicious downloads

Attribution and Related Actors

Public security investigations have associated the CyberEye builder with the Telegram accounts "cisamu123" and "CodQu," based on analysis of code repositories and Telegram activity. However, these connections are based on open-source intelligence and have not been officially confirmed by law enforcement.

References

^ ^a ^b "Understanding CyberEye RAT: Builder Capabilities and Implications". CYFIRMA. 2025-06-10. Retrieved 2025-06-22.
^ ^a ^b "CyberEye: The Telegram-Based RAT Targeting Windows Users". Ampcus Cyber. Retrieved 2025-06-22.
^ "CyberEye: Telegram-Based RAT Malware Analysis". Broadcom Japan. Retrieved 2025-06-22.
^ "New TelegramRAT Variant: CyberEye". SecurityOnline.info. Retrieved 2025-06-22.
^ "X-Force Intelligence Alert: CyberEye Analysis". IBM X-Force Exchange. Retrieved 2025-06-22.