Full Report
Cybersecurity researchers have disclosed details of an intrusion that involved the use of a CloudZ remote access tool (RAT) and a previous undocumented plugin dubbed Pheno with the aim of facilitating credential theft. "According to the functionalities of the CloudZ RAT and Pheno plugin, this was with the intention of stealing victims' credentials and potentially one-time passwords (OTPs),"
Analysis Summary
# Tool/Technique: CloudZ RAT & Pheno Plugin
## Overview
CloudZ is a modular .NET-based Remote Access Tool (RAT) used for credential theft and system surveillance. Its primary innovation is the use of a specialized plugin called **Pheno**, which targets the legitimate Microsoft Phone Link application. By abusing the synchronization bridge between a Windows PC and a mobile device (Android/iOS), the malware can intercept SMS messages and One-Time Passwords (OTPs) without actually infecting the mobile device.
## Technical Details
- **Type:** Malware Family (RAT) / Infostealer Plugin
- **Platform:** Windows 10, Windows 11 (leveraging Microsoft Phone Link)
- **Capabilities:** Credential exfiltration, SMS/OTP interception via SQLite database access, screen recording, shell execution, and browser data theft.
- **First Seen:** January 2026
## MITRE ATT&CK Mapping
- **[TA0003 - Persistence]**
- [T1053.005 - Scheduled Task/Job: Scheduled Task]
- **[TA0005 - Defense Evasion]**
- [T1140 - Deobfuscate/Decode Files or Information]
- [T1497 - Virtualization/Sandbox Evasion]
- **[TA0006 - Credential Access]**
- [T1555.003 - Credentials from Web Browsers]
- [T1539 - Steal Web Session Cookie]
- **[TA0007 - Discovery]**
- [T1082 - System Information Discovery]
- **[TA0009 - Collection]**
- [T1113 - Screen Capture]
- [T1647 - Software Artifacts (Interception of Phone Link SQLite DB)]
## Functionality
### Core Capabilities
- **Modular Architecture:** Uses a .NET loader to deploy the core RAT and subsequent plugins.
- **C2 Communication:** Establishes encrypted socket sessions using Base64-encoded commands.
- **Browser Stealing:** Features a `BrowserSearch` command to exfiltrate passwords and history.
- **File Management:** Supports full download (`DW`), file management (`FM`), and command-line execution (`RunShell`).
### Advanced Features
- **Phone Link Hijacking (Pheno Plugin):** Monitors for `YourPhone.exe` processes and accesses local SQLite databases where Phone Link stores synchronized SMS and notification data.
- **OTP Interception:** By reading synced SMS data, it bypasses Two-Factor Authentication (2FA) by capturing OTPs sent to the user's phone.
- **Evasion suite:** The .NET loader performs environment and hardware checks to detect if it is running in a sandbox or virtual machine.
## Indicators of Compromise
- **File Names:**
- `ConnectWise ScreenConnect.exe` (Malicious fake executable)
- **Staging Directory:**
- `C:\ProgramData\Microsoft\whealth\`
- **Network Indicators:**
- C2 communication via encrypted socket protocols (Specific IPs/Domains not listed in text, but ensure any identified are defanged, e.g., `example[.]com`).
- **Behavioral Indicators:**
- Creation of scheduled tasks for persistence.
- Unexpected process access to `%LocalAppData%\Packages\Microsoft.YourPhone_8wekyb3d8bbwe\LocalCache`.
## Associated Threat Actors
- **Unknown:** No current attribution to a named APT or cybercrime group at this time.
## Detection Methods
- **Signature-based:** Detect the specific .NET loader and the "Pheno" plugin DLLs.
- **Behavioral:**
- Monitor for unauthorized access to the Microsoft Phone Link application data folders.
- Alert on suspicious processes spawning PowerShell scripts to create scheduled tasks.
- **Process Monitoring:** Monitor for unexpected network connections originating from the `whealth` directory in `ProgramData`.
## Mitigation Strategies
- **Application Control:** Restrict the use of Microsoft Phone Link in corporate environments if not strictly required for business.
- **Least Privilege:** Ensure users do not have administrative rights, preventing the installation of scheduled tasks and access to `C:\ProgramData`.
- **Phishing Protection:** Implement robust email filtering to prevent the initial delivery of the fake ScreenConnect dropper.
- **Hardening:** Disable or limit PowerShell execution for standard users.
## Related Tools/Techniques
- **Phone Link Abuse:** A novel technique for bypassing 2FA without mobile-side malware.
- **ConnectWise ScreenConnect Spoofing:** Using trusted remote management software names to mask malicious activity.