Malware Meets PowerShell: How CyberEYE RAT Disarms Windows Defender

-

 

A new and highly sophisticated Remote Access Trojan (RAT), CyberEYE, has surfaced as a growing threat to Windows environments. Written in .NET and built for modular deployment, this malware stands out for its ability to completely disable Windows Defender using a combination of PowerShell scripting and registry manipulations.



Command & Control via Telegram

CyberEYE’s communication infrastructure is built on Telegram’s Bot API, which allows threat actors to control infected systems without maintaining their own backend infrastructure. This use of a popular, encrypted messaging platform complicates detection and containment efforts.



Plug-and-Play Malware for the Masses

CyberEYE includes a user-friendly builder interface, allowing even low-skilled attackers to generate custom payloads without writing code. This ease of use, combined with its feature-rich design, is accelerating adoption across cybercriminal communities.

It is distributed via multiple channels including:

  • Public GitHub repositories

  • Private Telegram groups

Aliases linked to CyberEYE’s distribution include @cisamul23 and @CodQu.

Feature Set: Surveillance, Theft, and Persistence

According to Cyfirma researchers, CyberEYE offers a comprehensive toolkit that goes far beyond simple data theft. Key capabilities include:

  • Keylogging

  • Credential harvesting

  • Clipboard hijacking

  • File exfiltration

  • System persistence

  • Anti-analysis and obfuscation mechanisms



CyberEYE is capable of stealing:

  • Browser-stored passwords

  • Cryptocurrency wallet data

  • Gaming platform sessions

  • Wi-Fi credentials

All stolen data is exfiltrated through Telegram channels, avoiding traditional C2 infrastructure and making mitigation more difficult.

Disabling Windows Defender: A Dual Approach

What makes CyberEYE especially dangerous is its methodical takedown of Windows Defender, Microsoft’s built-in antivirus solution.

Registry Manipulation

The malware’s DisableDefenderFeatures() method modifies several critical registry keys:

  • Disables Tamper Protection

    HKLM\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = 0

  • Disables AntiSpyware Engine

    HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = 1

  • Disables Real-Time Protection features:

    HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\
  - DisableBehaviorMonitoring = 1
  - DisableOnAccessProtection = 1
  - DisableScanOnRealtimeEnable = 1

PowerShell-Based Defense Bypass

Using its CheckDefenderSettings() function, CyberEYE queries active Defender configurations with:


Get-MpPreference -verbose

It then selectively disables remaining security layers using:


Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableBehaviorMonitoring $true
Set-MpPreference -DisableIOAVProtection $true
Set-MpPreference -DisableBlockAtFirstSeen $true
Set-MpPreference -DisablePrivacyMode $true

This ensures redundancy—if registry edits are blocked, PowerShell commands still achieve full Defender shutdown.

Why CyberEYE Is a Serious Threat

CyberEYE is not just another RAT. It represents an evolution in malware design—balancing ease of use with powerful capabilities and advanced evasion strategies. By weaponizing legitimate system tools like PowerShell and registry editors, it operates below the radar of conventional endpoint defenses.

Combined with Telegram C2 and modular extensibility, CyberEYE sets a new benchmark for plug-and-play cybercrime toolkits.

As CyberEYE continues to spread across underground forums and developer communities, defenders must pay close attention to its behavior and communication methods. Organizations should implement stricter PowerShell execution policies, monitor for unauthorized registry changes, and consider isolating or restricting outbound Telegram connections in sensitive environments.

Comments

Post a Comment

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware

-
Image
The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023. ...
Read more