Full Report
A new version of the CloudZ remote access tool (RAT) is deploying a previously unseen malicious plugin called Pheno that hijacks the Microsoft Phone Link connection to steal sensitive codes from mobile devices. [...]
Analysis Summary
# Tool/Technique: CloudZ RAT & Pheno Plugin
## Overview
CloudZ is a Remote Access Tool (RAT) that utilizes a multi-stage infection chain to gain control over Windows systems. Its most notable feature is the deployment of a specialized plugin named **Pheno**, which hijacks the legitimate Microsoft Phone Link application. By accessing local SQLite databases used by Phone Link, the malware can intercept SMS messages and One-Time Passwords (OTPs) from synced mobile devices (Android/iOS) without needing to compromise the mobile device itself.
## Technical Details
- **Type:** Malware Family (RAT) and Malicious Plugin
- **Platform:** Windows (Targeting Microsoft Phone Link for mobile data interception)
- **Capabilities:** Credential theft, SMS/OTP interception, screen recording, file management, and shell execution.
- **First Seen:** Active since at least January 2026 (Reported May 2026)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing (Likely delivered via fake ScreenConnect updates)
- **TA0003 - Persistence**
- T1053.005 - Scheduled Task/Job: Scheduled Task
- **TA0005 - Defense Evasion**
- T1497.001 - Virtualization/Sandbox Evasion: System Checks
- T1027 - Obfuscated Files or Information
- T1036.004 - Masquerading: Masquerade Task or Service (Fake updates)
- **TA0009 - Collection**
- T1113 - Screen Capture
- T1133 - External Remote Services
- T1646 - Data from Information Repositories (Accessing Phone Link SQLite DB)
## Functionality
### Core Capabilities
- **Information Gathering:** Profiles host systems and targets web browser data.
- **File Management:** Capability to delete, download, and write files to the victim's machine.
- **Remote Commands:** Executes shell commands and terminates its own processes upon request.
- **Screen Recording:** Initiates screen captures to monitor user activity.
### Advanced Features
- **Phone Link Hijacking (Pheno Plugin):** Monitors for active Microsoft Phone Link sessions and extracts data from the application's local SQLite database to steal SMS-based OTPs and authenticator notifications.
- **Anti-Analysis:** The .NET loader performs time-based sandbox evasion and scans for analysis tools (Wireshark, Fiddler, Procmon, Sysmon).
- **Network Evasion:** Rotates between three hardcoded user-agent strings and uses anti-caching headers to bypass proxy/CDN detection.
## Indicators of Compromise
- **File Hashes:**
- *(Refer to Cisco Talos report for specific SHA256 hashes of the Rust-based loader and .NET components)*
- **File Names:** Fake ScreenConnect update files.
- **Network Indicators:**
- C2 Domains: `hxxp[:]//[example-c2-domain].com` (Defanged)
- Staging Servers: `hxxps[:]//[example-staging-server].io` (Defanged)
- **Behavioral Indicators:**
- Creation of unexpected Scheduled Tasks.
- Unexpected access to `%LOCALAPPDATA%\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalCache`.
- Presence of processes scanning for analysis tools like `procmon.exe` or `wireshark.exe`.
## Associated Threat Actors
- **Unknown:** Specific attribution has not been publicly linked to a known APT, though the sophistication of the Phone Link hijack suggests a motivated cyber-espionage or financial gain actor.
## Detection Methods
- **Signature-based detection:** Update AV/EDR signatures to detect the Rust-based loader and the specific CloudZ .NET payload.
- **Behavioral detection:** Monitor for unauthorized processes accessing the Microsoft Phone Link (YourPhone) data directories.
- **Network Monitoring:** Alert on HTTP traffic containing anti-caching headers used in conjunction with non-standard user-agent rotations.
## Mitigation Strategies
- **Multi-Factor Authentication Hardening:** Shift from SMS-based OTP or push notifications to phishing-resistant hardware security keys (e.g., YubiKey) or TOTP apps not synced to the desktop.
- **Software Management:** Block unauthorized or "fake" software update binaries; ensure ScreenConnect and other remote tools are updated only through official channels.
- **System Hardening:** Disable Microsoft Phone Link via Group Policy if it is not a requirement for business operations.
## Related Tools/Techniques
- **Remote Access Trojans (RATs):** Similar functionality to AgentTesla or NjRAT but with unique mobile-sync exploitation.
- **Phone Hijacking:** Related to "Sim Swapping" or "Mirroring" techniques, but executed via local desktop database theft rather than network-level attacks.