Windows Defender Bypass Using PowerShell and Registry Edits in CyberEYE RAT

A newly discovered remote access trojan (RAT) named CyberEye is making waves in the cybersecurity community for its sophisticated capabilities and its reliance on Telegram, the popular messaging platform, as its command-and-control (C2) infrastructure.

First detected in the wild in May 2025, CyberEye is distributed under various names, including TelegramRAT, and is rapidly gaining traction among cybercriminals due to its ease of use and powerful surveillance features.

Unlike traditional malware that requires attackers to set up and maintain their own servers, CyberEye uses Telegram’s Bot API to communicate, exfiltrate data, and receive commands.

Plug-and-Play Threat for Novice Hackers

This not only lowers the barrier for entry for less technical threat actors but also helps the malware evade detection by blending in with legitimate encrypted traffic on a widely trusted service.

CyberEye is distributed through a builder GUI, allowing attackers to customize payloads with features such as keyloggers, file grabbers, clipboard hijackers, and persistence mechanisms, as reported by Cyfirma.

The builder framework means that even those with minimal technical expertise can craft highly effective, targeted attacks.

The malware is engineered to remain hidden and resilient on infected systems. Upon execution, CyberEye performs several anti-analysis checks, including detecting sandbox environments, virtual machines, and debugging tools.

If such conditions are detected, the malware self-terminates to avoid scrutiny.

To ensure persistence, CyberEye installs itself as a hidden scheduled task often masquerading as a legitimate process like “Chrome Update” and copies itself to concealed directories within the user’s system.

It aggressively disables Windows Defender protections by editing registry keys and executing PowerShell commands, turning off real-time monitoring and tamper protection.

Comprehensive Data Theft Modules

Once embedded, CyberEye launches multiple threads to steal a wide array of sensitive information:

• Browser credentials, cookies, and credit card data: Extracted and decrypted from Chromium-based browsers using advanced techniques.
• Session data from messaging and gaming apps: Including Telegram, Discord, and Steam, allowing attackers to hijack accounts or bypass two-factor authentication.
• FTP credentials: Harvested from applications like FileZilla.
• Clipboard monitoring: Specifically designed to hijack cryptocurrency transactions by replacing wallet addresses with attacker-controlled ones in real time.
• Desktop file theft: Scans for and uploads documents, images, and spreadsheets matching attacker-specified criteria.

All stolen data is compressed, encrypted, and sent directly to the attacker’s Telegram bot, further complicating detection and response efforts.

CyberEye’s code and builder are publicly available on GitHub, with support and updates coordinated via Telegram channels in Russian.

There are indications that a premium version with enhanced features is either available or in development, signaling continued evolution and proliferation of this threat.

Mitigations

Security experts warn that CyberEye exemplifies the convergence of commodity malware tooling and public communication infrastructure, making it a persistent threat to both consumers and enterprises.

Recommended defenses include strict endpoint policy enforcement, behavioral analysis, and proactive monitoring for unusual outbound traffic and suspicious scheduled tasks.

As CyberEye continues to evolve, organizations are urged to remain vigilant and update their security protocols to counter this new breed of Telegram-powered malware.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates