New Remote Access Tool Targets Windows Phone Link Application
Cisco Talos has identified an ongoing intrusion involving an unknown attacker utilizing a remote access tool (RAT) named CloudZ, accompanied by a novel plugin called Pheno. The attack, which has been active since January 2026, aims primarily at stealing user credentials, including one-time passwords and other sensitive mobile data.
The CloudZ RAT leverages the Microsoft Phone Link application, which serves as a bridge between PCs and smartphones, to hijack its functionalities. The Pheno plugin specifically monitors active processes of the Phone Link application, allowing the attacker to intercept sensitive information like SMS messages without needing to deploy malware directly onto the mobile device. This tactic enhances stealthiness by executing malicious functions dynamically in system memory, evading common detection methods and security checks like sandboxes and debuggers.
Talos reports that the initial access vector involved a deceptive ScreenConnect application update executable. The malicious executable drops an intermediate .NET loader that deploys the CloudZ RAT. Upon execution, this RAT establishes a connection to a command-and-control server and begins exfiltrating valuable data, including browser credentials and Phone Link application data, leading to potential compromises of SMS-based OTP messages. The loader employed checks for detection by known security tools, assessing both environment variables and hardware characteristics to determine whether it is running in a genuine or analyzed environment.
Defensive Context
Organizations operating Windows 10 or 11, especially those using Phone Link for mobile device synchronization, should take note of this threat. It could affect environments where users frequently access sensitive accounts while using the Phone Link application, putting credentials and OTPs at risk.
Why This Matters
This incident reflects a concerning trend towards targeting not only traditional computing environments but also applications that blur the lines between desktop and mobile user experiences. Entities that leverage the Phone Link application are particularly vulnerable, especially if their networks have already been compromised.
Defender Considerations
Defenders should focus on monitoring their networks for the specific malware behaviors exhibited by CloudZ and its Pheno plugin. Detection strategies should include scrutinizing for signs of RAT deployment within Windows’ scheduled tasks and examining for unusual outbound connections to known malicious domains.
Indicators of Compromise (IOCs)
Some of the identified IOCs associated with this intrusion include:
- C2 server IP: 185.196.10.136
- Domains used for staging servers:
- hxxps://calm-wildflower-1349.hellohiall.workers.dev
- hxxps://round-cherry-4418.hellohiall.workers.dev
- hxxps://orange-cell-1353.hellohiall.workers.dev
- Additional artifacts associated with the RAT include various file names used for malicious executables.
This ongoing campaign reveals evolving attacker methodologies that exploit established applications, making it imperative for organizations to reassess their security posture against such innovative threats.
