An uncovered a sophisticated intrusion campaign, active since at least January 2026, in which a threat actor deployed the CloudZ remote access trojan (RAT) alongside a previously undocumented plugin called “Pheno” to intercept one-time passwords (OTPs) silently and SMS messages all without ever touching the victim’s mobile device.
CloudZ is a modular, .NET-compiled RAT obfuscated with ConfuserEx and designed to operate stealthily on Windows systems. What makes this campaign particularly alarming is the introduction of the Pheno plugin, a never-before-documented tool specifically engineered to abuse Microsoft’s Phone Link application.
This built-in Windows utility synchronizes Android and iPhone data, including SMS messages, call logs, and app notifications, directly to a user’s PC.
The Pheno plugin does not compromise the victim’s smartphone. Instead, it exploits the trusted PC-to-phone bridge that Phone Link creates, targeting the application’s local SQLite database files (e.g., PhoneExperiences-*.db) to harvest SMS-based OTPs and authenticator app notifications silently from the Windows machine.
CloudZ RAT Malware
With a confirmed Phone Link activity on the victim’s machine, the attacker using the CloudZ RAT can potentially intercept the Phone Link application’s SQLite database file on the victim machine, potentially compromising SMS-based OTP messages and other authenticator application notification messages.
The intrusion begins with an unknown initial access vector, followed by the deployment of a fake ScreenConnect application update executable on the victim machine. This malicious executable drops an intermediate .NET loader disguised as a text file either update.txt or msupdate.txt into the directory C:\ProgramData\Microsoft\windosDoc\.
In some instances, the loader was pulled directly from an attacker-controlled Cloudflare Workers staging server using a curl command. A Rust-compiled 64-bit executable disguised as systemupdates.exe or Windows-interactive-update.exe and compiled on January 1, 2026, serves as the initial dropper.
The dropper embeds a PowerShell script that establishes persistence by creating a scheduled task named SystemWindowsApis under \Microsoft\Windows\.
Configured to run at system startup under the SYSTEM account with the highest privilege level. The task uses the legitimate LOLBin regasm.exe to execute the .NET loader, ensuring the malware survives reboots.
CloudZ’s Multi-Layer Evasion Techniques
CloudZ and its loader employ multiple layers of detection evasion, making this threat especially difficult to identify and neutralize. The .NET loader begins with a timing-based evasion check that measures the actual elapsed time from a sleep command to detect sandbox environments.
It then enumerates running processes and cross-references them against a blocklist of security tools, including Wireshark, Fiddler, Procmon, and Sysmon, immediately terminating execution if any are detected.
The loader further checks hardware characteristics, requiring at least 2 processor cores, and scans for strings such as “VIRTUAL” or “SANDBOX” in system paths, computer names, user domains, and usernames.
CloudZ itself queries the _ENABLE_PROFILING environment variable to detect attached .NET profilers or debuggers, and uses System.Reflection.Emit.DynamicMethod combined with ILGenerator to build executable functions dynamically in memory, making static analysis extremely difficult.
Once deployed, CloudZ decrypts its embedded configuration data and establishes an encrypted TCP socket connection to its command-and-control (C2) server at IP address 185[.]196[.]10[.]136 on port 8089. Secondary configuration data is fetched from attacker-controlled Cloudflare Workers URLs or Pastebin, where the attacker used the handle “HELLOHIALL.”
The RAT rotates between three hardcoded user-agent strings mimicking Firefox, Chrome, and mobile Safari to blend malicious traffic with legitimate browser activity and uses anti-caching HTTP headers to prevent proxies or CDN infrastructure from exposing C2 details.
CloudZ supports a broad command set using Base64-encoded identifiers, including browser credential exfiltration (BrowserSearch), Phone Link reconnaissance data retrieval (GetWidgetLog), shell command execution (RunShell), screen recording (rec), file management (FM), and plugin lifecycle management (plugin, savePlugin, sendPlugin, RemovePlugins).
The Pheno plugin is delivered via curl from a staging server and operates as a reconnaissance agent for the Phone Link application. It scans all active processes for keywords including “YourPhone,” PhoneExperienceHost, and Link to Windows.
Logging matching process IDs and file paths to files named phonelink-<COMPUTERNAME>.txt in staging directories under C:\programdata\Microsoft\feedback\cm and %TEMP%\Microsoft\feedback\cm.
Pheno also performs a secondary check by searching for the keyword “proxy” in its output files, since an active Phone Link session creates a local proxy relay between the PC and the mobile device.
When the proxy string is detected, the plugin logs “Maybe connected,” signaling CloudZ to begin harvesting OTP and SMS data from the Phone Link SQLite database. This novel technique effectively bypasses mobile-based security controls by attacking the desktop sync layer instead.
Detection
Cisco Talos has released ClamAV signatures to detect and block this threat, including Win.Trojan.CloudZRAT-10059935-0 and Win.Trojan.CloudZRAT-10059959-0.
Snort rules for both Snort 2 (SIDs 66408–66410) and Snort 3 (SIDs 301492, 66408) are also available. Indicators of compromise, including hashes, C2 IPs, and staging URLs, have been published to the GitHub repository.
Organizations are urged to disable Microsoft Phone Link if not required, monitor for scheduled tasks named SystemWindowsApis, and audit LOLBin usage, particularly regasm.exe, and implement behavioral detection rules for dynamic in-memory code execution.
Given the growing trend of identity-centric attacks targeting trusted application bridges rather than direct device compromise, the CloudZ/Pheno campaign represents a significant evolution in credential theft methodology.
FAQ
Q1: What is CloudZ RAT, and how does it steal OTPs?
CloudZ is a modular .NET RAT that uses its Pheno plugin to access Microsoft Phone Link’s SQLite database, intercepting SMS-based OTPs and authenticator notifications synced from a victim’s mobile device to their Windows PC without touching the phone itself.
Q2: Does CloudZ compromise the victim’s smartphone directly?
No CloudZ bypasses mobile device compromise entirely by exploiting the PC-to-phone bridge created by Microsoft Phone Link, harvesting sensitive data from the Windows machine’s local sync database.
Q3: How does CloudZ avoid detection by security tools?
CloudZ uses timing-based sandbox checks, process enumeration against security tool blocklists, hardware fingerprinting for VM detection, and dynamically compiled executable functions to evade both static and behavioral analysis.
Q4: How can organizations protect themselves from CloudZ RAT?
Organizations should disable Microsoft Phone Link where unnecessary, monitor for suspicious scheduled tasks, and LOLBin (regasm.exe) abuse, deploy the available ClamAV and Snort signatures from Cisco Talos, and review the published IOCs on the Talos GitHub repository.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
