{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/windows-11/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Phone Link","Windows 10","Windows 11"],"_cs_severities":["high"],"_cs_tags":["cloudz","malware","rat","microsoft-phone-link","credential-theft","otp","sms"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eA new variant of the CloudZ remote access tool (RAT) has been observed deploying a novel plugin named Pheno. This plugin specifically targets the Microsoft Phone Link application, pre-installed on Windows 10 and 11, to intercept SMS messages and one-time passwords (OTPs) from connected mobile devices (Android and iOS). The observed intrusion campaign began in January 2026, with researchers assessing that the primary goal of the threat actor is to steal credentials and temporary passcodes. The attacker leverages the Phone Link application\u0026rsquo;s SQLite database, which stores SMS messages and potentially authenticator application notifications, to gain access to sensitive information without directly compromising the mobile device. The CloudZ RAT also uses rotating user-agent strings and anti-caching headers to evade detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe victim executes a fake ScreenConnect update.\u003c/li\u003e\n\u003cli\u003eA Rust-based loader is dropped onto the system.\u003c/li\u003e\n\u003cli\u003eA .NET loader is deployed, which contains anti-analysis checks (time-based sandbox evasion, Wireshark, Fiddler, Procmon, Sysmon).\u003c/li\u003e\n\u003cli\u003eThe .NET loader installs the CloudZ RAT.\u003c/li\u003e\n\u003cli\u003ePersistence is established via a scheduled task.\u003c/li\u003e\n\u003cli\u003eThe Pheno plugin monitors for active Microsoft Phone Link sessions.\u003c/li\u003e\n\u003cli\u003ePheno accesses the local SQLite database of the Phone Link application.\u003c/li\u003e\n\u003cli\u003eSMS messages and one-time passwords (OTPs) are stolen from the database, granting the attacker access to sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass SMS-based multi-factor authentication (MFA) and gain unauthorized access to protected accounts and systems. The impact can include financial fraud, data theft, and further compromise of the victim\u0026rsquo;s digital assets. While the exact number of victims remains unknown, the targeted theft of credentials and OTPs suggests a broad campaign aimed at a wide range of individuals and organizations. The sectors targeted are currently unknown.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for execution of processes originating from temporary directories, as this is often where the initial loader may execute from. Deploy the Sigma rule \u003ccode\u003eDetect CloudZ RAT Loader Execution from Temp Directory\u003c/code\u003e to identify this behavior.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect suspicious HTTP traffic from infected hosts. Pay attention to rotating user-agent strings and the presence of anti-caching headers.\u003c/li\u003e\n\u003cli\u003eConsider disabling or restricting the use of Microsoft Phone Link in enterprise environments where SMS-based OTPs are used.\u003c/li\u003e\n\u003cli\u003eEncourage users to switch to authenticator apps that do not rely on SMS or push notifications and to adopt phishing-resistant MFA solutions like hardware security keys.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T10:03:52Z","date_published":"2026-05-05T10:03:52Z","id":"/briefs/2026-05-cloudz-pheno/","summary":"A new version of the CloudZ RAT utilizes the Pheno plugin to hijack Microsoft Phone Link connections, enabling the theft of SMS messages and one-time passwords (OTPs) from victims' mobile devices.","title":"CloudZ RAT Abuses Microsoft Phone Link to Steal SMS and OTPs","url":"https://feed.craftedsignal.io/briefs/2026-05-cloudz-pheno/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows 10","Windows 11","Windows Phone Link"],"_cs_severities":["high"],"_cs_tags":["cloudz","rat","pheno","phone-link","otp","credential-theft"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCisco Talos discovered an intrusion campaign, active since at least January 2026, involving the deployment of the CloudZ RAT and a novel plugin named \u0026ldquo;Pheno\u0026rdquo;. The attackers are leveraging these tools to steal credentials and potentially one-time passwords (OTPs) by abusing the Microsoft Phone Link application in Windows. CloudZ utilizes the Pheno plugin to monitor and hijack the PC-to-phone bridge established by Phone Link. This allows the attacker to scan for active Phone Link processes and intercept sensitive mobile data, such as SMS messages and OTPs, without directly infecting the mobile device. The CloudZ RAT also employs various anti-analysis techniques, including dynamic execution of critical functions in memory and checks to evade debuggers and sandbox environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attack begins with an unknown initial access vector, leading to the execution of a fake ScreenConnect application update.\u003c/li\u003e\n\u003cli\u003eThis malicious executable drops and executes an intermediate .NET loader executable.\u003c/li\u003e\n\u003cli\u003eThe .NET loader decrypts and deploys the modular CloudZ RAT onto the victim\u0026rsquo;s machine.\u003c/li\u003e\n\u003cli\u003eUpon execution, the CloudZ RAT decrypts its configuration data and establishes an encrypted connection to its command-and-control (C2) server.\u003c/li\u003e\n\u003cli\u003eCloudZ exfiltrates credentials from the victim\u0026rsquo;s machine browser data and downloads and implants the Pheno plugin.\u003c/li\u003e\n\u003cli\u003eThe Pheno plugin performs reconnaissance of the Microsoft Phone Link application on the victim machine and writes reconnaissance data to an output file.\u003c/li\u003e\n\u003cli\u003eCloudZ reads the Phone Link application data from the staging folder.\u003c/li\u003e\n\u003cli\u003eCloudZ sends the exfiltrated credentials, along with the data obtained from the Phone Link application, to the C2 server, potentially compromising SMS-based OTP messages and other authenticator application notification messages.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis campaign poses a significant threat to users of the Microsoft Phone Link application, potentially exposing sensitive information, including SMS-based OTPs, to unauthorized access. Successful exploitation can lead to account compromise, financial fraud, and other malicious activities. The number of victims and specific sectors targeted are currently unknown, but the potential for widespread impact is considerable given the prevalence of Windows 10 and 11 and the use of OTPs for multi-factor authentication.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for execution of \u003ccode\u003eregasm.exe\u003c/code\u003e with command-line arguments pointing to unusual locations, especially within the \u003ccode\u003eC:\\ProgramData\u003c/code\u003e directory, using the Sigma rule \u0026ldquo;Detect Suspicious RegAsm Execution for Persistence\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eDetect connections to the known malicious URL \u003ccode\u003ehxxps[://]calm-wildflower-1349[.]hellohiall[.]workers[.]dev\u003c/code\u003e at the network level or endpoint using a network connection monitoring tool or web proxy.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring and file access auditing for the Microsoft Phone Link application database files (e.g., \u0026ldquo;PhoneExperiences-*.db\u0026rdquo;) to detect unauthorized access or modification by suspicious processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T10:01:07Z","date_published":"2026-05-05T10:01:07Z","id":"/briefs/2026-05-cloudz-rat/","summary":"An unknown attacker is using the CloudZ RAT and its Pheno plugin to hijack the Microsoft Phone Link application and intercept SMS and OTP messages from connected mobile devices, active since at least January 2026.","title":"CloudZ RAT Abusing Windows Phone Link to Steal OTPs","url":"https://feed.craftedsignal.io/briefs/2026-05-cloudz-rat/"}],"language":"en","title":"CraftedSignal Threat Feed — Windows 11","version":"https://jsonfeed.org/version/1.1"}