CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

CloudZ RAT abuses Microsoft Phone Link via Pheno plugin for credential and OTP theft

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Threat actors have leveraged the CloudZ remote access trojan (RAT) and a custom Pheno plugin to hijack Microsoft Phone Link functionality in Windows for credential and one-time password (OTP) theft. The attack chain abuses the legitimate PC-to-phone sync feature to monitor active Phone Link processes, intercept SMS and OTPs, and exfiltrate synchronized mobile data without requiring mobile device compromise. The intrusion has been active since at least January 2026, with no attributed threat actor. The technique bypasses two-factor authentication by targeting cross-device synchronization data stored on the Windows host.

Timeline

  1. 06.05.2026 11:34 1 articles · 4h ago

    CloudZ RAT with Pheno plugin abuses Microsoft Phone Link for credential and OTP theft since January 2026

    A modular CloudZ RAT deployment has been observed since at least January 2026 using a custom Pheno plugin to hijack Microsoft Phone Link functionality on Windows hosts. The plugin monitors Phone Link processes and exfiltrates synchronized mobile data—including SMS and OTPs—directly from the Windows environment without requiring mobile compromise. The attack chain begins with a fake ConnectWise ScreenConnect executable delivering a .NET loader that establishes persistence via a scheduled task and deploys CloudZ after environment checks. The trojan communicates with C2 using encrypted sockets and accepts Base64-encoded instructions to conduct credential theft, browser data exfiltration, file operations, screen recording, and plugin management.

    Show sources
    Open in new tab

Information Snippets