Cybersecurity researchers at **Cisco Talos** have revealed details of an intrusion campaign employing the **CloudZ** remote access tool (RAT) and a previously undocumented plugin named **Pheno** to facilitate credential theft. "According to the functionalities of the CloudZ RAT and Pheno plugin, this was with the intention of stealing victims' credentials and potentially one-time passwords (OTPs)," **Cisco Talos** researchers Alex Karkins and Chetan Raghuprasad said in their analysis.  ### Bypassing 2FA via Phone Link Hijacking The novelty of this attack lies in **CloudZ**'s use of the custom **Pheno** plugin to hijack the established PC-to-phone bridge via the **Microsoft Phone Link** application. This allows the plugin to monitor active **Phone Link** processes and potentially intercept sensitive mobile data, such as SMS messages and one-time passwords (OTPs), without needing to deploy malware on the mobile device itself. This finding highlights how legitimate cross-device syncing features can inadvertently create attack vectors for credential theft and bypass two-factor authentication (2FA). Critically, it eliminates the necessity of compromising the mobile device directly. ### Campaign Details According to **Cisco Talos**, the malware has been active since at least January 2026, though the activity has not yet been attributed to a known threat actor or group. **Phone Link**, built into **Windows 10** and **Windows 11**, allows users to pair their computer with an Android or iPhone device over Wi-Fi and Bluetooth, enabling them to make calls, send messages, and manage notifications. Attackers have been observed attempting to exploit this application using **CloudZ** RAT and **Pheno** to confirm **Phone Link** activity on a victim's system and then access the SQLite database file used by the program to store synchronized phone data. ### Attack Chain The attack chain reportedly begins with an as-yet-undetermined initial access method to gain a foothold and drop a fake **ConnectWise ScreenConnect** executable. This executable is responsible for downloading and running a .NET loader. The initial dropper also employs an embedded PowerShell script to establish persistence by creating a scheduled task that runs the malicious .NET loader. The intermediate loader performs hardware and environment checks to evade detection before deploying the modular **CloudZ** trojan. Once executed, the .NET-compiled trojan decrypts an embedded configuration, establishes an encrypted socket connection to the command-and-control (C2) server, and awaits Base64-encoded instructions to exfiltrate credentials and deploy additional plugins. ### CloudZ Command Set Some of the commands supported by **CloudZ** include: * pong: Send heartbeat responses * PING!: Issue a heartbeat request * CLOSE: Terminate the trojan process * INFO: Collect system metadata * RunShell: Execute shell command * BrowserSearch: Exfiltrate web browser data * GetWidgetLog: Exfiltrate Phone Link recon logs and data * plugin: Load a plugin * savePlugin: Save a plugin to disk at the staging directory ("C:\ProgramData\Microsoft\whealth\") * sendPlugin: Upload a plugin to C2 server * RemovePlugins: Remove all deployed plugin modules * Recovery: Enable recovery or reconnection * DW: Conduct download and file write operations * FM: Conduct file management operations * Msg: Send a message to C2 server * Error: Report errors to C2 server * rec: Record the screen ### Pheno Plugin Functionality "The attacker used a plugin called **Pheno** to perform reconnaissance of the **Windows Phone Link** application in the victim machine," **Talos** stated. "The plugin performs reconnaissance of the **Microsoft Phone Link** application on the victim machine and writes the reconnaissance data to an output file in a staging folder. CloudZ reads back the Phone Link application data from the staging folder and sends it to the C2 server."