Attack Chain

1. The victim executes a fake ScreenConnect update.
2. A Rust-based loader is dropped onto the system.
3. A .NET loader is deployed, which contains anti-analysis checks (time-based sandbox evasion, Wireshark, Fiddler, Procmon, Sysmon).
4. The .NET loader installs the CloudZ RAT.
5. Persistence is established via a scheduled task.
6. The Pheno plugin monitors for active Microsoft Phone Link sessions.
7. Pheno accesses the local SQLite database of the Phone Link application.
8. SMS messages and one-time passwords (OTPs) are stolen from the database, granting the attacker access to sensitive information.

Impact

Successful exploitation allows attackers to bypass SMS-based multi-factor authentication (MFA) and gain unauthorized access to protected accounts and systems. The impact can include financial fraud, data theft, and further compromise of the victim’s digital assets. While the exact number of victims remains unknown, the targeted theft of credentials and OTPs suggests a broad campaign aimed at a wide range of individuals and organizations. The sectors targeted are currently unknown.

Recommendation

• Monitor process creation events for execution of processes originating from temporary directories, as this is often where the initial loader may execute from. Deploy the Sigma rule Detect CloudZ RAT Loader Execution from Temp Directory to identify this behavior.
• Implement network monitoring to detect suspicious HTTP traffic from infected hosts. Pay attention to rotating user-agent strings and the presence of anti-caching headers.
• Consider disabling or restricting the use of Microsoft Phone Link in enterprise environments where SMS-based OTPs are used.
• Encourage users to switch to authenticator apps that do not rely on SMS or push notifications and to adopt phishing-resistant MFA solutions like hardware security keys.