{"id":209443,"date":"2026-05-06T04:34:00","date_gmt":"2026-05-06T08:34:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/06\/windows-phone-link-exploited-by-cloudz-rat-to-steal-credentials-and-otps\/"},"modified":"2026-05-06T04:40:08","modified_gmt":"2026-05-06T08:40:08","slug":"windows-phone-link-exploited-by-cloudz-rat-to-steal-credentials-and-otps","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/06\/windows-phone-link-exploited-by-cloudz-rat-to-steal-credentials-and-otps\/","title":{"rendered":"Windows Phone Link Exploited by CloudZ RAT to Steal Credentials and OTPs"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/windows-phone-link-exploited-by-cloudz.html\">Windows Phone Link Exploited by CloudZ RAT to Steal Credentials and OTPs<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/windows-phone-link-exploited-by-cloudz.html\">https:\/\/thehackernews.com\/2026\/05\/windows-phone-link-exploited-by-cloudz.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-06 04:34:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points.<br \/>\n\ue804Ravie Lakshmanan\ue802May 06, 2026Endpoint Security \/ Threat Intelligence<br \/>\nCybersecurity researchers have disclosed details of an intrusion that involved the use of a CloudZ remote access tool (RAT) and a previous undocumented plugin dubbed Pheno with the aim of facilitating credential theft.<br \/>\n&#8220;According to the functionalities of the CloudZ RAT and Pheno plugin, this was with the intention of stealing victims&#8217; credentials and potentially one-time passwords (OTPs),&#8221; Cisco Talos researchers Alex Karkins and Chetan Raghuprasad said in a Tuesday analysis.<br \/>\nWhat makes the attack novel is that CloudZ uses the custom Pheno plugin to hijack the established PC-to-phone bridge by abusing the Microsoft Phone Link application, permitting the plugin to monitor for active Phone Link processes and potentially intercept sensitive mobile data like SMS and one-time passwords (OTPs) without the need for deploying malware on the phone.\u00a0<br \/>\nThe findings demonstrate how legitimate cross-device syncing features can expose unintended attack pathways to credential theft and help bypass two-factor authentication. What&#8217;s more, it obviates the need to compromise the mobile device itself.<br \/>\nThe malware, per the cybersecurity company, has been put to use as part of an intrusion that&#8217;s been active since at least January 2026. The activity has not been attributed to any known threat actor or group.<\/p>\n<p>Built into Windows 10 and Windows 11, Phone Link offers a way for users to pair their computer with an Android device or iPhone over Wi-Fi and Bluetooth, allowing users to make or take phone calls, send messages, and dismiss notifications.<br \/>\nUnknown threat actors have been observed attempting to leverage the application using CloudZ RAT and Pheno to confirm Phone Link activity on a victim environment and then access the SQLite database file used by the program to store the synchronized phone data.\u00a0<\/p>\n<p>The attack chain is said to have employed an as-yet-undetermined initial access method to obtain a foothold and drop a fake ConnectWise ScreenConnect executable that&#8217;s responsible for downloading and running a .NET loader.\u00a0 The initial dropper also makes use of an embedded PowerShell script to establish persistence by setting up a scheduled task that runs the malicious .NET loader.<br \/>\nThe intermediate loader is designed to run hardware and environment checks to evade detection and deploy the modular CloudZ trojan on the machine. Once executed, the .NET-compiled trojan decrypts an embedded configuration, establishes an encrypted socket connection to the command-and-control (C2) server, and awaits Base64-encoded instructions that allow it to exfiltrate credentials and implant additional plugins.<br \/>\nSome of the commands supported by CloudZ include &#8211;<\/p>\n<p>pong, to send heartbeat responses<br \/>\nPING!, to issue a heartbeat request<br \/>\nCLOSE, to terminate the trojan process<br \/>\nINFO, to collect system metadata<br \/>\nRunShell, to execute shell command<br \/>\nBrowserSearch, to exfiltrate web browser data<br \/>\nGetWidgetLog, to exfiltrate Phone Link recon logs and data<br \/>\nplugin, to load a plugin<br \/>\nsavePlugin, to save a plugin to disk at the staging directory (&#8220;C:ProgramDataMicrosoftwhealth&#8221;)<br \/>\nsendPlugin, to upload a plugin to C2 server<br \/>\nRemovePlugins, to remove all deployed plugin modules<br \/>\nRecovery, to enable recovery or reconnection<br \/>\nDW, to conduct download and file write operations<br \/>\nFM, to conduct file management operations<br \/>\nMsg, to send a message to C2 server<br \/>\nError, to report errors to C2 server<br \/>\nrec, to record the screen<\/p>\n<p>&#8220;The attacker used a plugin called Pheno to perform reconnaissance of the Windows Phone Link application in the victim machine,&#8221; Talos said. &#8220;The plugin performs reconnaissance of the Microsoft Phone Link application on the victim machine and writes the reconnaissance data to an output file in a staging folder. CloudZ reads back the Phone Link application data from the staging folder and sends it to the C2 server.&#8221;<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Windows Phone Link Exploited by CloudZ RAT to Steal Credentials and OTPs https:\/\/thehackernews.com\/2026\/05\/windows-phone-link-exploited-by-cloudz.html Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":209444,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjGxYFVfOUbXRWanB_1qyRHBYCgWirEtqd3EO06BrIjnLqrTEOoTnXclKQsujA4YCVfI8Q5IWuriVAlckls65vvV2Am5PCEB1s_HHoFxpA779oT1qbnNB0Q8dqLU3GGbwINtDDmp8Ge3bdxQJWab3toekaGDgi1FFJ73uNysl8wEnXfgk6W88b1qSJcu2gX\/s1600\/link-to-windows.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,32,34],"class_list":["post-209443","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-malware","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209443"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=209443"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209443\/revisions"}],"predecessor-version":[{"id":209445,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209443\/revisions\/209445"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/209444"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=209443"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=209443"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=209443"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}