{
	"id": "719b15fd-7894-4f8f-aac2-81cd56e12a97",
	"created_at": "2026-04-06T00:08:28.473329Z",
	"updated_at": "2026-04-10T03:21:11.226708Z",
	"deleted_at": null,
	"sha1_hash": "205ea6b4be28e661184601fcc7db811b364a0956",
	"title": "Cyble - Under The Lens: Eagle Monitor RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1086330,
	"plain_text": "Cyble - Under The Lens: Eagle Monitor RAT\r\nPublished: 2022-04-18 · Archived: 2026-04-05 16:23:19 UTC\r\nCyble looks at the recently resurfaced Eagle Monitor RAT and the new TTPs encountered in this iteration of the\r\npopular RAT.\r\nA Remote Administration Tool is a type of software that gives the attacker full control over the victims’ device\r\nremotely. Using RATs, attackers can perform various tasks such as accessing files, cameras, and other resources\r\nremotely while conducting keylogging, system operations, etc.\r\nA developer named “Arsium” posted a new version of this open-source RAT – EagleMonitorRAT – on GitHub.\r\nAdditionally, the developer posted a link to the GitHub page of the EagleMonitorRAT to various underground dark\r\nweb markets. Figure 1 shows one such post by the developer.\r\nFigure 1 – Post by EagleMonitorRAT Developer\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2022/04/18/under-the-lens-eagle-monitor-rat/\r\nPage 1 of 12\n\nAccording to the developer, the EagleMonitorRAT is written in C# and upgraded from HorusEyesRat, which is\r\nVisual Basic .NET-based.\r\nCyble Research Labs has analyzed the RAT binary and panel to gain insights into the functionalities and impact of\r\nthe RAT.\r\nRAT Details\r\nWhile building the solution,  various executables and support plugins are compiled, including client builder plugins\r\nand an admin panel. Figure 2 shows the compiled binaries and other files.\r\nFigure 2 – Compiled Binaries for EagleMonitorRAT\r\nAdditionally, various Dynamic Link Library (DLL) files are also compiled to support operations such as file\r\nmanagement, keylogging, etc. Figure 3 shows the support DLL files.\r\nhttps://blog.cyble.com/2022/04/18/under-the-lens-eagle-monitor-rat/\r\nPage 2 of 12\n\nFigure 3 – List of DLL Files after compilation\r\nA client builder is used to compile the binary, which will be delivered to users to compromise a target machine.\r\nThe client binary may be delivered to users using various initial infection vectors such as spam email etc. The\r\nbuilder has an option to specify the IP address of the server, port, and key. Figure 4 shows the client builder.\r\nhttps://blog.cyble.com/2022/04/18/under-the-lens-eagle-monitor-rat/\r\nPage 3 of 12\n\nFigure 4 – EagleMonitorRAT Client Builder Panel\r\nEagleMonitorRAT has a server panel for managing victim devices. The panel shows country, hardware ID,\r\noperating system details, username, available RAM, privilege, region etc. Additionally, the panel has various\r\noptions to manage as well for performing several operations in the infected device.\r\nThe Admin panel of EagleMonitorRAT includes operations such as:\r\nrecovery\r\ndesktop\r\nmiscellaneous panels\r\nmass tasks\r\nmemory execution\r\ninformation\r\nclient\r\nFigure 5 shows the administration panel of EagleMonitorRAT.\r\nhttps://blog.cyble.com/2022/04/18/under-the-lens-eagle-monitor-rat/\r\nPage 4 of 12\n\nFigure 5 – Administration Panel of EagleMonitorRAT\r\nIn the recovery option of EagleMonitorRAT, there are three different options – passwords, history, and autofill.\r\nThe Recovery option works as an information stealer which extracts usernames, passwords, and browser history.\r\nFigure 6 shows stolen information retrieved using the Recovery menu from the victim’s machine.\r\nFigure 6 – Recovery Data extracted from the Recovery Option\r\nThe Desktop menu option of EagleMonitorRAT has 5 different suboperations – file manager, process manager, live\r\nkeylogger, remote desktop, and remote webcam. Refer to Figure 7.\r\nhttps://blog.cyble.com/2022/04/18/under-the-lens-eagle-monitor-rat/\r\nPage 5 of 12\n\nFigure 7 – Desktop Option of EagleMonitorRAT\r\nThe File Manager menu option of EagleMonitorRAT gives TAs the functionality to manage files in the specific\r\ndirectory of the infected device, as shown below.\r\nFigure 8 – File Manager Option of the RAT\r\nThe Process Manager menu options show the details of the running process of the infected device, such as Icon,\r\nID, Name, Window Title, Window Handle, and Is64Bit. Figure 9 shows the Process Manager.\r\nhttps://blog.cyble.com/2022/04/18/under-the-lens-eagle-monitor-rat/\r\nPage 6 of 12\n\nFigure 9 – Process Manager of the EagleMonitorRAT\r\nThe shellcode injection menu option of the EagleMonitorRAT gives attackers an option to perform shellcode\r\ninjection remotely in the infected device. Refer to Figure 10.\r\nFigure 10 – Remote Shellcode Injection Option\r\nThe EagleMonitorRAT has a live keylogger functionality to remotely capture the victim system’s keystrokes.\r\nFigure 11 shows the keylogger menu operation of the RAT.\r\nhttps://blog.cyble.com/2022/04/18/under-the-lens-eagle-monitor-rat/\r\nPage 7 of 12\n\nFigure 11 – Live Keylogger\r\nThe Remote Desktop functionality captures screenshots of the victim system remotely at predefined intervals.\r\nFigure 12 shows the captured screen.\r\nFigure 12 – Screenshot Captured by the EagleMonitorRAT\r\nThis RAT has a menu option to remotely capture the webcam feed of the infected system as well. Figure 13 shows\r\nthe webcam panel.\r\nhttps://blog.cyble.com/2022/04/18/under-the-lens-eagle-monitor-rat/\r\nPage 8 of 12\n\nFigure 13 – Webcam Panel of the EagleMonitorRAT\r\nThe EagleMonitorRAT has miscellaneous menu options to perform other remote operations such as hiding the\r\ntaskbar, changing wallpapers, sound management, etc., as shown below.\r\nFigure 14 – Miscellaneous Options of EagleMonitorRAT\r\nEagleMonitorRAT also has a menu option to discover the network connection and get the CPU information of the\r\ninfected system. Figure 15 shows the network connection and CPU information.\r\nhttps://blog.cyble.com/2022/04/18/under-the-lens-eagle-monitor-rat/\r\nPage 9 of 12\n\nFigure 15 – Network connection and CPU Monitoring\r\nThe RAT panel has a menu option to remotely shutdown, reboot, log out, BSOD, lock the workstation, hibernate\r\nand suspend the victim’s system. Figure 16 showcases these options.\r\nFigure 16 – Remote Client Management Option\r\nConclusion\r\nRATs have steadily become stealthier and more efficient with new techniques in place. Various cybercriminals and\r\nAdvanced Persistent Threat Groups have leveraged RATs in the past.\r\nhttps://blog.cyble.com/2022/04/18/under-the-lens-eagle-monitor-rat/\r\nPage 10 of 12\n\nCyble has observed data breaches in high-profile organizations due to such threats. Since EagleMonitor is an open-source RAT, it is possible that threat actors could create and deploy custom variations for future attacks.\r\nOrganizations and individuals should thus continue to follow industry best cybersecurity practices.\r\nOur Recommendations: \r\nUse strong passwords and enforce multi-factor authentication wherever possible.  \r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices. \r\nUse a reputed anti-virus and internet security software package on your connected devices, including PC,\r\nlaptop, and mobile. \r\nRefrain from opening untrusted links and email attachments without first verifying their authenticity.  \r\nEducate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs. \r\nBlock URLs that could be used to spread the malware, e.g., Torrent/Warez. \r\nMonitor the beacon on the network level to block data exfiltration by malware or TAs. \r\nEnable Data Loss Prevention (DLP) Solutions on the employees’ systems. \r\nMITRE ATT\u0026CK® Techniques  \r\nTactic  Technique ID  Technique Name \r\nExecution   T1204  User Execution \r\nPrivilege Escalation\r\nT1543\r\nT1055\r\nCreate or Modify System Process\r\nProcess Injection\r\nCredential Access \r\nT1555 \r\nT1539 \r\nT1552 \r\nT1528 \r\nCredentials from Password Stores \r\nSteal Web Session Cookie \r\nUnsecured Credentials \r\nSteal Application Access Token \r\nCollection \r\nT1113 \r\nT1123\r\nT1119\r\nT1005\r\nT1056\r\nScreen Capture \r\nAudio Capture\r\nAutomated Collection\r\nData from Local System\r\nInput Capture\r\nDiscovery \r\nT1518 \r\nT1124 \r\nT1007 \r\nT1083\r\nT1046\r\nSoftware Discovery \r\nSystem Time Discovery \r\nSystem Service Discovery \r\nFile and Directory Discovery\r\nNetwork Service Scanning\r\nCommand and Control  T1071  Application Layer Protocol \r\nExfiltration  T1041  Exfiltration Over C2 Channel \r\nhttps://blog.cyble.com/2022/04/18/under-the-lens-eagle-monitor-rat/\r\nPage 11 of 12\n\nIndicators of Compromise (IoCs):   \r\nIndicators \r\nIndicator\r\ntype \r\nDescription \r\n6c172f7329eb3d18eb59de21aa065ee4\r\n12b61e975fa830fee6ea04e66cb07b5db6c4477b\r\nb1422ef3148f49247b207d4c167cc54c6d3c65d408910470b252ea178eaa66c8\r\nMd5\r\nSHA-1 \r\nSHA-256  \r\nEagle\r\nMonitor\r\nRAT\r\nReborn\r\n(x32).exe\r\n6d269bc0b0a986e6e437bc9a33c6c95a\r\n47e45dd7e64fe23dd9cb88a3545cee7b9014239c\r\n8cc10fff94267bd402ef92cf0e886120803a3d46f90e821bc28fe0f5b2606082\r\nMd5  \r\nSHA-1 \r\nSHA-256 \r\nEagle\r\nMonitor\r\nBuilder.exe\r\nc179251bae0044413c32b224895bf103\r\nb6d646d9ae87eefc4dc271f3e0419f43bdb2c94f\r\n7b09df73e2551317e2547391361b579899cfcfd3304aab7fe4808858822be3f4\r\nMd5  \r\nSHA-1 \r\nSHA-256 \r\nClient.exe\r\nSource: https://blog.cyble.com/2022/04/18/under-the-lens-eagle-monitor-rat/\r\nhttps://blog.cyble.com/2022/04/18/under-the-lens-eagle-monitor-rat/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2022/04/18/under-the-lens-eagle-monitor-rat/"
	],
	"report_names": [
		"under-the-lens-eagle-monitor-rat"
	],
	"threat_actors": [],
	"ts_created_at": 1775434108,
	"ts_updated_at": 1775791271,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/205ea6b4be28e661184601fcc7db811b364a0956.pdf",
		"text": "https://archive.orkl.eu/205ea6b4be28e661184601fcc7db811b364a0956.txt",
		"img": "https://archive.orkl.eu/205ea6b4be28e661184601fcc7db811b364a0956.jpg"
	}
}