CloudZ RAT potentially steals OTP messages using Pheno plugin
Cisco Talos uncovered an intrusion active since January 2026 where attackers deployed CloudZ remote access tool and an undocumented plugin called Pheno to steal credentials and one-time passwords. The attack exploits Microsoft Phone Link application by intercepting synchronized mobile data including SMS and OTPs without requiring phone-level infection. CloudZ evades detection through dynamic memory execution and anti-analysis checks. The infection chain begins with a fake ScreenConnect update executable, leading to a Rust-compiled dropper that deploys a .NET loader, ultimately establishing the modular CloudZ RAT. The Pheno plugin monitors Phone Link processes and intercepts SQLite database files containing synchronized phone data. CloudZ employs ConfuserEx obfuscation, multiple configuration layers, and facilitates various commands including browser data exfiltration, shell execution, and plugin management while maintaining persistence through scheduled tasks.
AI Analysis
Technical Summary
CloudZ RAT is a modular remote access tool deployed since early 2026 that uses a multi-stage infection chain beginning with a fake ScreenConnect update executable. It installs a Rust dropper and a .NET loader to establish itself on the victim system. The RAT includes an undocumented plugin called Pheno, which targets the Microsoft Phone Link application by intercepting synchronized mobile data, including SMS and OTP messages, without requiring infection of the mobile device. CloudZ employs ConfuserEx obfuscation and multiple configuration layers to evade detection and supports commands for browser data exfiltration, shell execution, and plugin management. Persistence is maintained through scheduled tasks. The attack leverages dynamic memory execution and anti-analysis techniques. Indicators include multiple file hashes and an IP address. There is no known patch or official fix at this time.
Potential Impact
The CloudZ RAT with the Pheno plugin can steal credentials and intercept one-time passwords by accessing synchronized mobile data from the Microsoft Phone Link application on infected Windows hosts. This enables attackers to bypass mobile device infection and potentially compromise accounts protected by OTP-based two-factor authentication. The malware also facilitates browser data theft, shell command execution, and plugin management, increasing the scope of potential data exfiltration and system control. The infection chain and obfuscation techniques complicate detection and removal.
Mitigation Recommendations
No official patch or remediation is currently available for this threat. Organizations should monitor for indicators of compromise such as the provided file hashes and IP address. Since the malware exploits the Microsoft Phone Link application to intercept synchronized data, restricting or monitoring the use of this application may reduce risk. Employ endpoint detection solutions capable of identifying behaviors like dynamic memory execution and scheduled task persistence. Follow vendor advisories for updates and remediation guidance as they become available.
Indicators of Compromise
- hash: 5b7284bcf30569ae400e416a62391720cc9081e6047f15816f9d1a04a06eb321
- hash: a39299719bb4151c373a0e9b92b2bd05
- hash: e3ef02456a4df8236da5ee2082a5df36e746b463
- hash: 24398b75be2645e6c695e529e62e60deb418143a4bbea13c561d3c361419eb54
- hash: 33af554562176eff34598a839051b8e91692b0305edfdbb4d8eb9df0103ffd98
- hash: 65fcd965040fabeb6f092df0a4b6856125018bb3b6a1876342da458139f77dac
- hash: ed5de036edbbda52ab0049d2163607038d38a49404a46b6bcfc4bac26b743832
- ip: 185.196.10.136
CloudZ RAT potentially steals OTP messages using Pheno plugin
Description
Cisco Talos uncovered an intrusion active since January 2026 where attackers deployed CloudZ remote access tool and an undocumented plugin called Pheno to steal credentials and one-time passwords. The attack exploits Microsoft Phone Link application by intercepting synchronized mobile data including SMS and OTPs without requiring phone-level infection. CloudZ evades detection through dynamic memory execution and anti-analysis checks. The infection chain begins with a fake ScreenConnect update executable, leading to a Rust-compiled dropper that deploys a .NET loader, ultimately establishing the modular CloudZ RAT. The Pheno plugin monitors Phone Link processes and intercepts SQLite database files containing synchronized phone data. CloudZ employs ConfuserEx obfuscation, multiple configuration layers, and facilitates various commands including browser data exfiltration, shell execution, and plugin management while maintaining persistence through scheduled tasks.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CloudZ RAT is a modular remote access tool deployed since early 2026 that uses a multi-stage infection chain beginning with a fake ScreenConnect update executable. It installs a Rust dropper and a .NET loader to establish itself on the victim system. The RAT includes an undocumented plugin called Pheno, which targets the Microsoft Phone Link application by intercepting synchronized mobile data, including SMS and OTP messages, without requiring infection of the mobile device. CloudZ employs ConfuserEx obfuscation and multiple configuration layers to evade detection and supports commands for browser data exfiltration, shell execution, and plugin management. Persistence is maintained through scheduled tasks. The attack leverages dynamic memory execution and anti-analysis techniques. Indicators include multiple file hashes and an IP address. There is no known patch or official fix at this time.
Potential Impact
The CloudZ RAT with the Pheno plugin can steal credentials and intercept one-time passwords by accessing synchronized mobile data from the Microsoft Phone Link application on infected Windows hosts. This enables attackers to bypass mobile device infection and potentially compromise accounts protected by OTP-based two-factor authentication. The malware also facilitates browser data theft, shell command execution, and plugin management, increasing the scope of potential data exfiltration and system control. The infection chain and obfuscation techniques complicate detection and removal.
Mitigation Recommendations
No official patch or remediation is currently available for this threat. Organizations should monitor for indicators of compromise such as the provided file hashes and IP address. Since the malware exploits the Microsoft Phone Link application to intercept synchronized data, restricting or monitoring the use of this application may reduce risk. Employ endpoint detection solutions capable of identifying behaviors like dynamic memory execution and scheduled task persistence. Follow vendor advisories for updates and remediation guidance as they become available.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://blog.talosintelligence.com/cloudz-pheno-infostealer/"]
- Adversary
- null
- Pulse Id
- 69f9f99cd352da334850ef13
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash5b7284bcf30569ae400e416a62391720cc9081e6047f15816f9d1a04a06eb321 | — | |
hasha39299719bb4151c373a0e9b92b2bd05 | — | |
hashe3ef02456a4df8236da5ee2082a5df36e746b463 | — | |
hash24398b75be2645e6c695e529e62e60deb418143a4bbea13c561d3c361419eb54 | — | |
hash33af554562176eff34598a839051b8e91692b0305edfdbb4d8eb9df0103ffd98 | — | |
hash65fcd965040fabeb6f092df0a4b6856125018bb3b6a1876342da458139f77dac | — | |
hashed5de036edbbda52ab0049d2163607038d38a49404a46b6bcfc4bac26b743832 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip185.196.10.136 | — |
Threat ID: 69fa157fcbff5d86100ead00
Added to database: 5/5/2026, 4:06:23 PM
Last enriched: 5/5/2026, 4:21:23 PM
Last updated: 5/6/2026, 3:54:34 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.