ACCORDING to Cisco Talos researchers Alex Karkins and Chetan Raghuprasad, the intrusion used a CloudZ remote access tool (RAT) and a previously undocumented Pheno plugin with the aim of stealing victims’ credentials and potentially one-time passwords (OTPs).
The attack is notable for hijacking the Microsoft Phone Link by abusing the Phone Link application, allowing the Pheno plugin to monitor active Phone Link processes and potentially intercept sensitive mobile data such as SMS and OTPs without deploying malware on the phone. The findings show how cross-device syncing features can create avenues for credential theft and bypass two-factor authentication, without compromising the mobile device itself.
The malware has been active since at least January 2026, and the activity has not been attributed to any known threat actor or group. Unknown threat actors have been observed using CloudZ RAT and Pheno to confirm Phone Link activity on a victim machine, read the Phone Link data from a staging folder, and exfiltrate credentials and other data to the C2 server.