A new version of the **CloudZ** remote access tool (RAT) is deploying a previously unseen malicious plugin called **Pheno** that hijacks the **Microsoft Phone Link** connection to steal sensitive codes from mobile devices. The malware was discovered in an intrusion that has been active since at least January, and researchers believe the threat actor's purpose was to steal credentials and temporary passcodes.  **Microsoft Phone Link** comes pre-installed on Windows 10 and 11, enabling users to make calls, send texts, and view mobile notifications (Android and iOS) directly from their computer. By exploiting this application, attackers can intercept sensitive messages without directly compromising the target's mobile phone. ### Pheno Plugin Details Researchers at **Cisco Talos** reported today that **Pheno** monitors for active **Phone Link** sessions and accesses its local SQLite database, which may contain SMS and one-time passwords (OTPs). This provides attackers with access to sensitive information without needing to compromise the mobile device. "With a confirmed Phone Link activity on the victim's machine, the attacker using the **CloudZ** RAT can potentially intercept the Phone Link application’s SQLite database file on the victim's machine, potentially compromising SMS-based OTP messages and other authenticator application notification messages,” **Cisco Talos** stated in their report.  *Pheno scanning for active phone links. Source: Cisco Talos* ### CloudZ RAT Capabilities In addition to the **Pheno** plugin's capabilities, **CloudZ** can target data stored in web browsers, profile host systems, and execute commands for: * File management operations (delete, download, and write) * Shell command execution * Start screen recording * Plugin management (load, remove, save to disk) * Terminate the RAT process **Cisco** reports that **CloudZ** rotates between three hardcoded user-agent strings to make HTTP traffic appear as legitimate browser requests. Each HTTP request includes anti-caching headers to prevent proxies/CDNs from caching C2 or staging-server details. ### Infection Chain Researchers have not yet identified the initial access vector, but they discovered that the infection begins when the victim executes a fake **ScreenConnect** update, which drops a Rust-based loader. This is followed by the deployment of a .NET loader, which installs the **CloudZ** RAT and establishes persistence via a scheduled task. The .NET loader also includes anti-analysis checks, such as time-based sandbox evasion steps, checks for analysis tools like **Wireshark**, **Fiddler**, **Procmon**, and **Sysmon**, and checks for VM- and sandbox-related strings.  *The loader's environment checks. Source: Cisco Talos* ### Mitigation To defend against such attacks, users should avoid SMS-based OTP services and use authenticator apps that do not require push notifications that could be intercepted. For more sensitive information, it is recommended to switch to using phishing-resistant solutions such as hardware keys. **Cisco Talos** has published a set of indicators of compromise (IOCs), including URLs, hashes for malicious components, domains, and IP addresses, which defenders can use to protect their environments. <div> <a rel="noopener nofollow" href="https://hubs.li/Q04crVgD0"><img src="https://www.bleepstatic.com/c/p/autonomous-validation2.jpg" data-src="https://www.bleepstatic.com/c/p/autonomous-validation2.jpg" alt="article image"></a> <div> <h2><a rel="noopener nofollow" href="https://hubs.li/Q04crVgD0">99% of What Mythos Found Is Still Unpatched.</a></h2> <p>AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.</p> <p>At the Autonomous Validation Summit (May 12 &amp; 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.</p> <p><a rel="noopener nofollow" href="https://hubs.li/Q04crVgD0">Claim Your Spot</a></p> </div> </div>