{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/windows-phone-link/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows 10","Windows 11","Windows Phone Link"],"_cs_severities":["high"],"_cs_tags":["cloudz","rat","pheno","phone-link","otp","credential-theft"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eCisco Talos discovered an intrusion campaign, active since at least January 2026, involving the deployment of the CloudZ RAT and a novel plugin named \u0026ldquo;Pheno\u0026rdquo;. The attackers are leveraging these tools to steal credentials and potentially one-time passwords (OTPs) by abusing the Microsoft Phone Link application in Windows. CloudZ utilizes the Pheno plugin to monitor and hijack the PC-to-phone bridge established by Phone Link. This allows the attacker to scan for active Phone Link processes and intercept sensitive mobile data, such as SMS messages and OTPs, without directly infecting the mobile device. The CloudZ RAT also employs various anti-analysis techniques, including dynamic execution of critical functions in memory and checks to evade debuggers and sandbox environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attack begins with an unknown initial access vector, leading to the execution of a fake ScreenConnect application update.\u003c/li\u003e\n\u003cli\u003eThis malicious executable drops and executes an intermediate .NET loader executable.\u003c/li\u003e\n\u003cli\u003eThe .NET loader decrypts and deploys the modular CloudZ RAT onto the victim\u0026rsquo;s machine.\u003c/li\u003e\n\u003cli\u003eUpon execution, the CloudZ RAT decrypts its configuration data and establishes an encrypted connection to its command-and-control (C2) server.\u003c/li\u003e\n\u003cli\u003eCloudZ exfiltrates credentials from the victim\u0026rsquo;s machine browser data and downloads and implants the Pheno plugin.\u003c/li\u003e\n\u003cli\u003eThe Pheno plugin performs reconnaissance of the Microsoft Phone Link application on the victim machine and writes reconnaissance data to an output file.\u003c/li\u003e\n\u003cli\u003eCloudZ reads the Phone Link application data from the staging folder.\u003c/li\u003e\n\u003cli\u003eCloudZ sends the exfiltrated credentials, along with the data obtained from the Phone Link application, to the C2 server, potentially compromising SMS-based OTP messages and other authenticator application notification messages.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis campaign poses a significant threat to users of the Microsoft Phone Link application, potentially exposing sensitive information, including SMS-based OTPs, to unauthorized access. Successful exploitation can lead to account compromise, financial fraud, and other malicious activities. The number of victims and specific sectors targeted are currently unknown, but the potential for widespread impact is considerable given the prevalence of Windows 10 and 11 and the use of OTPs for multi-factor authentication.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for execution of \u003ccode\u003eregasm.exe\u003c/code\u003e with command-line arguments pointing to unusual locations, especially within the \u003ccode\u003eC:\\ProgramData\u003c/code\u003e directory, using the Sigma rule \u0026ldquo;Detect Suspicious RegAsm Execution for Persistence\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eDetect connections to the known malicious URL \u003ccode\u003ehxxps[://]calm-wildflower-1349[.]hellohiall[.]workers[.]dev\u003c/code\u003e at the network level or endpoint using a network connection monitoring tool or web proxy.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring and file access auditing for the Microsoft Phone Link application database files (e.g., \u0026ldquo;PhoneExperiences-*.db\u0026rdquo;) to detect unauthorized access or modification by suspicious processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T10:01:07Z","date_published":"2026-05-05T10:01:07Z","id":"/briefs/2026-05-cloudz-rat/","summary":"An unknown attacker is using the CloudZ RAT and its Pheno plugin to hijack the Microsoft Phone Link application and intercept SMS and OTP messages from connected mobile devices, active since at least January 2026.","title":"CloudZ RAT Abusing Windows Phone Link to Steal OTPs","url":"https://feed.craftedsignal.io/briefs/2026-05-cloudz-rat/"}],"language":"en","title":"CraftedSignal Threat Feed — Windows Phone Link","version":"https://jsonfeed.org/version/1.1"}