Researchers uncovered a new CloudZ RAT plugin called Pheno that hijacks Microsoft Phone Link on Windows to steal SMS and one-time passcodes from a targetβs mobile messages without compromising the device. The intrusion chain uses a fake ScreenConnect update to deploy Rust and .NET loaders with anti-analysis checks, and Cisco Talos published IoCs and mitigation guidance. #CloudZ #Pheno #MicrosoftPhoneLink #CiscoTalos
Keypoints
- Pheno monitors active Phone Link sessions and accesses the local SQLite database to extract SMS and OTP messages.
- CloudZ RAT can steal browser-stored data, profile hosts, manage files, execute shell commands, and record the screen.
- CloudZ evades detection by rotating three hardcoded user-agent strings and using anti-caching headers for C2 communications.
- The infection chain begins with a fake ScreenConnect update that drops a Rust loader, followed by a .NET loader that installs CloudZ and creates a scheduled task for persistence.
- Defensive recommendations include avoiding SMS-based OTPs, using authenticator apps or hardware keys, and leveraging Cisco Talos IoCs to hunt and block the threat.