Cybersecurity researchers have detailed an intrusion that involved the use of the CloudZ remote access tool (RAT) and an earlier undocumented plugin called Pheno to facilitate credential theft.
“Based on the functionality of the CloudZ RAT and Pheno plugin, it was intended to steal victims’ credentials and potentially one-time passwords (OTPs),” Cisco Talos researchers Alex Karkins and Chetan Raghuprasad said in an analysis on Tuesday.
What makes this attack novel is that CloudZ uses a custom Pheno plugin to hijack the PC-to-phone bridge established by exploiting the Microsoft Phone Link application, allowing the plugin to monitor active Phone Link processes and potentially intercept sensitive mobile data such as SMS and one-time passwords (OTPs) without introducing malware to the phone.
Our findings demonstrate how legitimate cross-device synchronization capabilities can help expose unintended attack vectors to credential theft and bypass two-factor authentication. Additionally, it eliminates the need to compromise the mobile device itself.
The malware has been used as part of an intrusion that has been active since at least January 2026, according to the cybersecurity firm. This activity is not attributed to any known attacker or group.
Built into Windows 10 and Windows 11, Phone Link provides a way for users to pair their computer with an Android device or iPhone over Wi-Fi and Bluetooth, allowing users to make and receive calls, send messages, dismiss notifications, and more.
An unknown attacker has been observed leveraging applications using the CloudZ RAT and Pheno to view phone link activity in the victim environment and attempt to access the SQLite database files used by the program to store synchronized phone data.
This attack chain allegedly gained a foothold using a yet-to-be-determined initial access method and dropped a fake ConnectWise ScreenConnect executable that was responsible for downloading and running the .NET loader. The first dropper also leverages an embedded PowerShell script to establish persistence by setting up a scheduled task to run the malicious .NET loader.
The intermediate loader is designed to perform hardware and environmental checks to evade detection and deploy the modular CloudZ Trojan onto machines. When executed, the .NET-compiled Trojan waits for Base64-encoded instructions that allow it to decrypt embedded configurations, establish an encrypted socket connection to a command and control (C2) server, steal credentials, and embed additional plugins.
Commands supported by CloudZ include:
pong, PING! to send a heartbeat response, CLOSE to issue a heartbeat request, INFO to terminate the Trojan process, RunShell to collect system metadata, execute shell command BrowserSearch, GetWidgetLog to extract web browser data, plugin to extract Phone Link reconnaissance logs and data, savePlugin to load plugins, Staging Save the plugin to disk in the directory (“C:\ProgramData\Microsoft\whealth\”) sendPlugin, uploads the plugin to the C2 server RemovePlugins, removes all deployed plugin modules Recovery, enables recovery or reconnection DW, performs download and file write operations FM, performs file management operations Msg, sends a message to the C2 server Error, reports an error to the C2 server rec, record the screen
“The attackers used a plugin called Pheno to spy on the Windows Phone Link application on the victim machine,” Talos said. “The plugin performs reconnaissance of the Microsoft Phone Link application on the victim machine and writes the reconnaissance data to an output file in the staging folder. CloudZ reads back the Phone Link application data from the staging folder and sends it to the C2 server.”
Source link
