CloudEyE MaaS Downloader and Cryptor Infects 100,000+ Users Worldwide

A significant malware campaign has surfaced across Central and Eastern Europe, quickly drawing widespread concern within the cybersecurity community.

CloudEyE, a Malware-as-a-Service downloader and cryptor, has rapidly gained traction among threat actors seeking to distribute other harmful malware payloads.

In the second half of 2025, security researchers detected this threat at an alarming scale, marking a significant shift in how modern malware operates and spreads.

The emergence of CloudEyE represents a growing trend where cybercriminals rent out malware infrastructure rather than developing standalone threats.

This approach allows attackers to target a broader range of victims without needing extensive technical expertise. The malware serves as a delivery mechanism for other dangerous payloads such as Rescoms, Formbook, and Agent Tesla, each capable of stealing sensitive data or compromising entire systems.

What makes CloudEyE particularly troubling is its ability to conceal its true purpose while deploying multiple harmful components.

ESET Research analysts identified CloudEyE after detecting a massive surge in attack activity during the latter half of 2025.

The researchers observed a thirtyfold increase in CloudEyE detections within just six months, accumulating over 100,000 hits worldwide. This dramatic rise suggests the malware has become a preferred tool among cybercriminals operating across Europe and potentially beyond.

The infection mechanism behind CloudEyE reveals sophisticated multi-stage delivery tactics designed to avoid detection. The initial stage operates as a downloader that spreads through PowerShell scripts, JavaScript files, and NSIS executable installers.

Once installed on a victim’s computer, this first stage component downloads the next phase of the attack—a cryptor component that encrypts and obfuscates the final payload before execution.

Every stage of CloudEyE is heavily obfuscated, making analysis and detection extremely challenging for security tools and researchers alike.

Delivery campaigns

The delivery campaigns weaponize social engineering and compromise legitimate channels to maximize infection rates.

Most CloudEyE attack attempts targeted businesses through email-based campaigns in Central and Eastern Europe during September and October 2025.

Attackers crafted convincing messages by using compromised legitimate business accounts and tailoring content to match the language and cultural context of targeted countries.

These emails typically posed as routine business inquiries, such as invoice payment requests, package tracking notifications, or purchase order confirmations, making them appear entirely legitimate to unsuspecting recipients.

Organizations worldwide should implement robust email filtering, maintain current security software, and train employees to recognize suspicious messages. Awareness of CloudEyE’s presence and tactics provides critical protection against this escalating threat.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.