A dangerous malware campaign has emerged across Central and Eastern Europe, causing widespread concern among cybersecurity professionals and organizations.
CloudEyE, a Malware-as-a-Service downloader and cryptor, has rapidly gained traction among threat actors seeking to distribute other harmful malware payloads.
In the second half of 2025, security researchers detected this threat at an alarming scale, marking a significant shift in how modern malware operates and spreads.
The emergence of CloudEyE represents a growing trend where cybercriminals rent out malware infrastructure rather than developing standalone threats.
This approach allows attackers to target a broader range of victims without needing extensive technical expertise. The malware serves as a delivery mechanism for other dangerous payloads such as Rescoms, Formbook, and Agent Tesla, each capable of stealing sensitive data or compromising entire systems.
What makes CloudEyE particularly troubling is its ability to conceal its true purpose while deploying multiple harmful components.
ESET Research analysts identified CloudEyE after detecting a massive surge in attack activity during the latter half of 2025.
The researchers observed a thirtyfold increase in CloudEyE detections within just six months, accumulating over 100,000 hits worldwide. This dramatic rise suggests the malware has become a preferred tool among cybercriminals operating across Europe and potentially beyond.
The infection mechanism behind CloudEyE reveals sophisticated multi-stage delivery tactics designed to avoid detection. The initial stage operates as a downloader that spreads through PowerShell scripts, JavaScript files, and NSIS executable installers.
Once installed on a victim’s computer, this first stage component downloads the next phase of the attack—a cryptor component that encrypts and obfuscates the final payload before execution.
Every stage of CloudEyE is heavily obfuscated, making analysis and detection extremely challenging for security tools and researchers alike.
Delivery campaigns
The delivery campaigns weaponize social engineering and compromise legitimate channels to maximize infection rates.
Most CloudEyE attack attempts targeted businesses through email-based campaigns in Central and Eastern Europe during September and October 2025.
Attackers crafted convincing messages by using compromised legitimate business accounts and tailoring content to match the language and cultural context of targeted countries.
These emails typically posed as routine business inquiries, such as invoice payment requests, package tracking notifications, or purchase order confirmations, making them appear entirely legitimate to unsuspecting recipients.
Organizations worldwide should implement robust email filtering, maintain current security software, and train employees to recognize suspicious messages. Awareness of CloudEyE’s presence and tactics provides critical protection against this escalating threat.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
