CloudZ RAT Exploits Microsoft Phone Link to Steal OTPs

May 5, 2026 Faeem BLOGS, MICROSOFT 0

Overview Researchers have uncovered a new variant of the CloudZ remote access tool (RAT) that deploys a malicious plugin called Pheno. This plugin hijacks the Microsoft Phone Link application on Windows 10 and 11 to steal SMS messages and one‑time passcodes (OTPs), giving attackers access to sensitive authentication data without directly compromising mobile devices.

Attack Chain

  • Initial Access: Victims tricked into executing a fake ScreenConnect update.
  • Loader Deployment:
    • Rust‑based loader drops a .NET loader.
    • The .NET loader installs CloudZ RAT and establishes persistence via scheduled tasks.
    • Loader includes anti‑analysis checks (sandbox evasion, detection of tools like Wireshark, Fiddler, Procmon, Sysmon).
  • Pheno Plugin:
    • Monitors active Phone Link sessions.
    • Accesses local SQLite database storing SMS and OTPs.
    • Enables attackers to intercept authentication codes without touching the mobile device.

Capabilities of CloudZ RAT

  • File operations (delete, download, write).
  • Shell command execution.
  • Screen recording.
  • Plugin management (load, remove, save).
  • Process termination.
  • HTTP traffic disguised with rotating user‑agent strings and anti‑caching headers to evade detection.

Defensive Guidance

  • Avoid SMS‑based OTPs: Switch to authenticator apps or hardware keys that resist phishing and interception.
  • Verify Updates: Only download ScreenConnect or other software updates from official sources.
  • Monitor Indicators of Compromise (IoCs): Cisco Talos has published hashes, domains, and IP addresses linked to CloudZ campaigns.
  • Endpoint Protection: Watch for suspicious scheduled tasks and SQLite database access tied to Phone Link.
  • User Awareness: Train employees to recognize fake update prompts and phishing lures.

Final Thought

The CloudZ campaign demonstrates how attackers exploit trusted integrations like Microsoft Phone Link to bypass traditional defenses. By targeting the bridge between mobile and desktop, adversaries gain access to sensitive authentication flows without breaching the phone itself. For defenders, the lesson is clear: SMS‑based OTPs are increasingly unsafe, and phishing‑resistant authentication methods must become the default.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.