CyberEYE RAT Disables Windows Defender Using PowerShell and Registry Manipulations

A sophisticated new Remote Access Trojan known as CyberEYE has emerged as a significant threat to Windows systems, demonstrating advanced capabilities to completely disable Windows Defender through a combination of PowerShell commands and registry manipulations.

This modular, .NET-based malware leverages Telegram’s messaging platform as its command and control infrastructure, making detection and mitigation particularly challenging for traditional security solutions.

The malware operates through a user-friendly builder interface that allows even novice cybercriminals to customize payloads without requiring deep technical expertise.

CyberEYE is distributed through multiple channels, including public GitHub repositories and private Telegram channels, with threat actors behind the malware operating under aliases such as @cisamul23 and @CodQu.

The malware’s accessibility and plug-and-play nature have contributed to its rapid adoption among cybercriminal communities seeking surveillance and data theft capabilities.

Cyfirma analysts identified CyberEYE as a particularly dangerous threat due to its comprehensive feature set, which includes keylogging, credential harvesting, file exfiltration, and clipboard hijacking capabilities.

The research team noted that the malware’s use of Telegram for command and control eliminates the need for attackers to maintain their own infrastructure, making it both more evasive and accessible to a broader range of threat actors.

The malware’s impact extends far beyond typical data theft operations, incorporating advanced persistence mechanisms and anti-analysis features that allow it to maintain long-term access to compromised systems.

CyberEYE targets a wide range of sensitive information, including browser credentials, cryptocurrency wallet addresses, gaming platform sessions, and Wi-Fi passwords, all of which are exfiltrated through Telegram’s Bot API.

Advanced Windows Defender Evasion Techniques

CyberEYE employs a sophisticated dual-approach strategy to neutralize Windows Defender, combining direct registry modifications with PowerShell-based command execution to ensure complete protection bypass.

The malware’s DisableDefenderFeatures() method systematically targets critical registry keys that control Windows Defender’s core functionality, effectively rendering the security solution inoperative.

The registry manipulation component focuses on modifying specific keys under the Windows Defender policy structure.

The malware executes precise registry edits including disabling tamper protection through SOFTWARE\Microsoft\Windows Defender\Features with the TamperProtection value set to “0”, and completely disabling anti-spyware functionality by setting DisableAntiSpyware to “1” under SOFTWARE\Policies\Microsoft\Windows Defender.

Additionally, the malware targets real-time protection capabilities by modifying SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection, setting DisableBehaviorMonitoring, DisableOnAccessProtection, and DisableScanOnRealtimeEnable all to “1”.

The PowerShell component operates through the CheckDefenderSettings() function, which first queries current Defender preferences using the command Get-MpPreference -verbose to assess which security features remain active.

The malware then parses this output and systematically disables any remaining protections using targeted Set-MpPreference commands.

For instance, if real-time monitoring is detected as active, the malware executes Set-MpPreference -DisableRealtimeMonitoring $true, while behavior monitoring is disabled through Set-MpPreference -DisableBehaviorMonitoring $true.

This comprehensive approach ensures that even if registry modifications fail due to system restrictions, the PowerShell commands provide an alternative pathway to achieve the same result.

The malware also targets advanced protection features including cloud-based scanning (DisableBlockAtFirstSeen), file and program activity monitoring (DisableIOAVProtection), and privacy mode restrictions (DisablePrivacyMode), creating a complete security vacuum that allows the malware to operate undetected.

This systematic dismantling of Windows Defender represents a significant evolution in malware evasion techniques, demonstrating how modern threats can effectively neutralize endpoint protection through legitimate administrative tools and system modifications.

Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access