What happened
The CloudEyE MaaS downloader and cryptor infected over 100,000 users worldwide by deploying multi-stage malware campaigns across Central and Eastern Europe in late 2025. Security researchers at ESET Research detected a thirtyfold increase in CloudEyE detections over six months. CloudEyE operates as a Malware-as-a-Service platform, enabling threat actors to distribute secondary malware, including Rescoms, Formbook, and Agent Tesla. Initial infection vectors include PowerShell scripts, JavaScript files, and NSIS executable installers, often delivered via socially engineered emails from compromised legitimate business accounts. Once installed, the downloader fetches a cryptor component that encrypts and obfuscates payloads, evading detection. Targeted campaigns mimicked invoice requests, purchase orders, or package tracking messages, increasing likelihood of user interaction and malware deployment.
Who is affected
Businesses in Central and Eastern Europe experienced direct exposure to CloudEyE campaigns, while organizations worldwide faced indirect risk due to malware’s ability to propagate and serve as a delivery platform for other threats.
Why CISOs should care
CloudEyE demonstrates the operational impact of Malware-as-a-Service models, increasing supply chain and lateral movement risks. Its multi-stage delivery and obfuscation techniques heighten the likelihood of undetected breaches, while widespread email targeting amplifies reputational and compliance exposure.
3 practical actions
Patch and harden endpoints: Ensure all systems have updated security software and restrict script execution policies.
Enhance email defenses: Implement robust filtering, phishing detection, and user awareness training to reduce successful delivery.
Monitor for multi-stage threats: Track unusual PowerShell, JavaScript, and NSIS installer activity to detect early signs of CloudEyE infections.