Full Report
Cisco Talos discovered an intrusion, active since at least January 2026, where an unknown attacker implanted a CloudZ remote access tool (RAT) and a previously undocumented plugin called “Pheno.”
Analysis Summary
# Tool/Technique: CloudZ RAT & Pheno Plugin
## Overview
CloudZ is a modular Remote Access Tool (RAT) used to exfiltrate browser credentials and deploy additional malicious modules. In recent campaigns, it has been observed deploying a specialized plugin named **Pheno**, designed to exploit the Microsoft Phone Link application. The primary goal is to intercept SMS messages and One-Time Passwords (OTPs) by abusing the PC-to-phone synchronization bridge.
## Technical Details
- **Type:** Malware Family (RAT) and specialized Plugin
- **Platform:** Windows (Targeting interactions with Android/iOS via Phone Link)
- **Capabilities:** Credential theft, arbitrary command execution, SMS/OTP interception, sandbox/debugger evasion.
- **First Seen:** January 2026
## MITRE ATT&CK Mapping
- **[TA0002 - Execution]**
- [T1059.001 - PowerShell]
- [T1053.005 - Scheduled Task]
- **[TA0003 - Persistence]**
- [T1053.005 - Scheduled Task/Job: Scheduled Task]
- **[TA0005 - Defense Evasion]**
- [T1027 - Obfuscated Files or Information]
- [T1497 - Virtualization/Sandbox Evasion]
- [T1055 - Process Injection]
- **[TA0007 - Discovery]**
- [T1057 - Process Discovery]
- **[TA0006 - Credential Access]**
- [T1555.003 - Credentials from Web Browsers]
- **[TA0009 - Collection]**
- [T1119 - Automated Collection]
## Functionality
### Core Capabilities
- **Modular Architecture:** CloudZ can dynamicallly download and load plugins into memory.
- **Credential Theft:** Extracts sensitive data and stored passwords from major web browsers.
- **Command Dispatcher:** Establishes an encrypted socket connection to a C2 server to receive and execute remote instructions.
- **Evasion:** Performs environment checks for debuggers and sandboxes; executes malicious code in system memory to avoid disk-based detection.
### Advanced Features
- **Phone Link Exploitation (Pheno):** Scans for the `PhoneExperienceHost.exe` process and checks for active proxy connections (indicating an active PC-to-phone bridge).
- **SQLite Database Interception:** Heavily targets the Phone Link database (e.g., `PhoneExperiences-*.db`) to read synchronized SMS logs, call history, and notifications.
- **OTP Stealing:** By mirroring the phone's activity on the PC, Pheno allows attackers to bypass Multi-Factor Authentication (MFA) by capturing SMS-based OTPs in real-time.
## Indicators of Compromise
- **File Names:**
- `systemupdates.exe`, `Windows-interactive-update.exe` (Rust loader)
- `update.txt`, `msupdate.txt` (.NET loader)
- `PhoneExperiences-*.db` (Targeted database)
- **Registry Keys:** N/A (Persistence primarily via Scheduled Tasks)
- **Network Indicators:**
- `hxxps[://]calm-wildflower-1349[.]hellohiall[.]workers[.]dev`
- **Behavioral Indicators:**
- Excessive queries to `Get-CimInstance Win32_Process` searching for `regasm.exe`.
- Creation of a scheduled task named `SystemWindowsApis` in `\Microsoft\Windows\`.
- Metadata file creation in `C:\programdata\Microsoft\feedback\cm`.
## Associated Threat Actors
- **Unknown:** Currently attributed to an unclassified threat actor active since early 2026.
## Detection Methods
- **Signature-based detection:**
- ClamAV: `Win.Trojan.CloudZRAT-10059935-0`, `Win.Packed.Msilheracles-10030690-0`.
- Snort SIDs: `66408`, `66409`, `66410`, `301492`.
- **Behavioral detection:** Monitoring for unexpected access to the `%LOCALAPPDATA%\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\` directory or frequent SQLite queries to Phone Link databases by unsigned processes.
## Mitigation Strategies
- **Attack Surface Reduction:** Disable the "Phone Link" (Your Phone) application via Group Policy if it is not required for business operations.
- **Endpoint Protection:** Use EDR solutions to monitor for process injection into `regasm.exe` or `cvtres.exe`.
- **MFA Hardening:** Transition from SMS-based OTPs to more secure methods like hardware security keys (FIDO2) or app-based push notifications that do not mirror content to the OS notification center.
## Related Tools/Techniques
- **ScreenConnect (Abuse):** Used as a lure for the initial infection vector.
- **Regasm.exe / PowerShell:** Classic Living-off-the-Land (LotL) techniques for loading and persistence.