Cisco Talos has identified a new malware campaign using a .NET RAT called CloudZ and a companion plugin named Pheno to intercept SMS-based one-time passwords from enterprise Windows systems. The attack abuses Microsoft Phone Link (formerly Your Phone), which mirrors smartphone messages to the desktop, allowing attackers to access OTPs and credentials without ever compromising the mobile device itself. The infection chain starts with a Rust-compiled loader disguised as a ScreenConnect update, establishes persistence via a scheduled task using regasm.exe, and performs anti-analysis checks before deploying CloudZ in memory. The Pheno plugin scans for active Phone Link processes and can access the application's local SQLite database to harvest SMS messages and authentication codes. Talos has released detection signatures, IOCs, and Snort rules but has not attributed the campaign to a known threat actor.
Sort: