Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

CloudZ RAT Pheno Microsoft Phone Link credential-theft activity

Malware Activity
First reported
Last updated
Happening score
H score 28
2 unique sources, 2 articles

Summary

Hide ▲

The CloudZ RAT is now using the Pheno plugin to hijack Microsoft Phone Link sessions and steal SMS-based OTPs and other sensitive codes, increasing the risk of account takeover without directly compromising the phone. The intrusion has been active since at least January and uses a fake ScreenConnect update plus loader stages to install the malware and maintain persistence. CloudZ also adds anti-analysis checks and rotating user-agent strings to help its traffic blend in with normal browser requests.

Related Happenings

TCLBanker self-spreading banking trojan

Malware Activity
First: 08.05.2026 01:06 Last: 08.05.2026 01:06 Sources 1

About this happening: The **TCLBanker** trojan now combines **trojanized installer** delivery with **self-spreading worm modules**, widening access to **59 banking, fintech, and cryptocurrency platform...

Open Happening

Storm infostealer server-side decryption activity

Malware Activity
First: 02.04.2026 17:15 Last: 02.04.2026 17:15 Sources 1

About this happening: The **Storm** infostealer now steals **browser credentials**, **session cookies**, and **crypto wallets** and forwards them to attacker infrastructure for **server-side decryption...

Open Happening

Venom Stealer MaaS continuous credential theft and exfiltration

Malware Activity
First: 01.04.2026 16:30 Last: 01.04.2026 16:30 Sources 1

About this happening: The **Venom Stealer** **malware-as-a-service** platform has been identified as a **credential-theft** threat that keeps exfiltrating data after infection, extending the window for...

Open Happening

Venom Stealer MaaS infostealer with persistent credential harvesting

Malware Activity
First: 31.03.2026 17:51 Last: 31.03.2026 17:51 Sources 1

About this happening: The **Venom Stealer** infostealer now ships as **malware-as-a-service (MaaS)**, expanding access to a persistent credential-theft tool and raising risk for **Windows** users. It s...

Open Happening

Telnyx package WAV-hidden credential-stealing malware

Malware Activity
First: 27.03.2026 23:13 Last: 27.03.2026 23:13 Sources 1

About this happening: The malicious **Telnyx** package releases **4.87.1** and **4.87.2** delivered **credential-stealing malware** to imported systems, putting **Linux, macOS, and Windows** environmen...

Open Happening

Timeline

  1. 05.05.2026 13:03 2 articles · 22d ago

    CloudZ Pheno hijacks Microsoft Phone Link to steal SMS and OTP codes

    Technical Analysis Update

    Cisco Talos identified a new CloudZ RAT variant using the previously unseen Pheno plugin to monitor active Microsoft Phone Link sessions, access the local SQLite database, and steal SMS-based OTPs, temporary passcodes, and other sensitive codes from mobile-device notifications without directly compromising the phone. The intrusion had been active since at least January and appears aimed at credential theft. The infection chain starts with a fake ScreenConnect update that drops a Rust-based loader, followed by a .NET loader that installs CloudZ RAT, establishes persistence through a scheduled task, and adds anti-analysis checks for tools such as Wireshark, Fiddler, Procmon, and Sysmon. CloudZ also rotates hardcoded user-agent strings and Cisco Talos published IOCs including URLs, hashes, domains, and IP addresses, while recommending phishing-resistant authentication such as hardware keys instead of SMS-based OTP workflows.

    Show sources
    Open in new tab