top of page
perceptive_background_267k.jpg

Windows Phone Link Exploited by CloudZ RAT to Steal Credentials and OTPs

Published:

6 mei 2026 om 08:34:00

Alert date:

6 mei 2026 om 10:01:38

Source:

thehackernews.com

Click to open the original link from this advisory

Operating Systems, Ransomware & Malware, Data Breach & Exfiltration, Mobile & IoT

Cybersecurity researchers have disclosed an intrusion campaign involving CloudZ remote access tool (RAT) and an undocumented plugin called Pheno. The malware exploited Windows Phone Link functionality to steal victims' credentials and one-time passwords (OTPs). The attack demonstrates sophisticated credential theft capabilities targeting Windows users through Phone Link integration. This represents an active threat with high impact potential for credential compromise and account takeover attacks.

Technical details

CloudZ RAT uses a custom Pheno plugin to hijack PC-to-phone bridge by abusing Microsoft Phone Link application. The malware monitors for active Phone Link processes and intercepts mobile data like SMS and OTPs without deploying malware on the phone. Attack chain involves fake ConnectWise ScreenConnect executable that downloads .NET loader, which deploys modular CloudZ trojan. The trojan decrypts embedded configuration, establishes encrypted socket connection to C2 server, and receives Base64-encoded instructions. CloudZ accesses SQLite database file used by Phone Link to store synchronized phone data.

Mitigation steps:

Monitor for suspicious Phone Link processes, check for unauthorized scheduled tasks, monitor the staging directory C:\ProgramData\Microsoft\whealth\, implement detection for CloudZ RAT commands and network connections, review Phone Link application usage and permissions

Affected products:

Microsoft Phone Link (Windows 10
Windows 11)
ConnectWise ScreenConnect

Related links:

https://blog.talosintelligence.com/cloudz-pheno-infostealer/
https://www.microsoft.com/en-in/windows/sync-across-your-devices

Related CVE's:

Related threat actors:

IOC's:

C:\ProgramData\Microsoft\whealth\ (staging directory), Fake ConnectWise ScreenConnect executable, CloudZ RAT commands: pong, PING!, CLOSE, INFO, RunShell, BrowserSearch, GetWidgetLog, plugin, savePlugin, sendPlugin, RemovePlugins, Recovery, DW, FM, Msg, Error, rec

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page