CloudZ RAT plugin targets Windows Phone Link for possible OTP theft

A recent campaign deploying a modular remote access trojan known as CloudZ RAT utilizes a plugin that potentially targets one-time passwords (OTPs) via the Windows Phone Link tool, Cisco Talos reported Tuesday.

Windows Phone Link, formerly known as “Your Phone,” allows users to mirror phone activities such as SMS text messages, phone call notifications and application notifications to their Windows PC via Wi-Fi and Bluetooth. The feature works for both Android phones and Apple iPhones.

CloudZ RAT is a modular RAT that has been active since at least January 2026. The malware is capable of stealing credentials from browser data to exfiltrate to its command-and-control (C2) server and can also install plugins to perform other malicious functions.

The Pheno plugin discovered by Cisco Talos specifically targets Windows Phone Link by identifying and monitoring active PC-to-phone bridge connections and intercepting files from the SQLite database where Phone Link stores notification, SMS and call history.

This could allow for the extraction of sensitive information from text messages and applications, including OTPs.

Related reading:

While the exact initial access vector for CloudZ infections is not known, Cisco Talos found that the execution of a dropper disguised as a ScreenConnect update led to the installation and execution of a .NET loader that ultimately deployed CloudZ.

The .NET loader is disguised as a text file with names including “update.txt” and “msupdate.txt” and is either dropped directly by the dropper or installed from the attacker’s server via a curl command. A Windows scheduled task is created to establish persistence and ultimately execute the loader.

Prior to deploying CloudZ, the loader performs anti-analysis checks including a check for the elapsed time of a sleep command and a comparison between running processes and a hard-coded list of security tools including Wireshark, Fiddler, Procmon and Sysmon.

It also verifies the presence of at least two processor cores and searches for the strings “virtual” and “sandbox” in the system directory path, computer name, user domain and victim username, Cisco Talos said.

The CloudZ RAT is delivered as a .NET executable that is obfuscated using a tool called ConfuserEx. CloudZ also performs its own anti-analysis checks, including by querying the _ENABLE_PROFILING environment variable for signs of a .NET profiler or debugger being attached to the malware’s process.

The RAT decrypts one set of embedded configuration data and retrieves secondary configuration data from external sources, including Pastebin URLs and Cloudflare Workers. The RAT attempts to evade detection by cycling between three different Mozilla/5.0 user-agent strings and utilizing anti-caching headers.

CloudZ can perform various command received from its C2 server including shell command execution, browser data exfiltration, screen recording and plugin loading. It uses three different methods to download externally hosted plugins, falling back to subsequent methods if earlier methods fail.  

First, it attempts to use the curl utility, then attempts to use the Invoke-WebRequest PowerShell command, then finally attempts to use the Windows “bitsadmin” tool to install the plugin.

The Pheno plugin identifies whether a mobile device is currently synced via Phone Link by scanning running process for keywords including “YourPhone, “PhoneExperienceHost” and “Link to Windows.” It logs the process IDs and file paths of matching processes to a file named “phonelink-[COMPUTERNAME].txt” and places these files at C:\programdata\Microsoft\feedback\cm and %TEMP%\Microsoft\feedback\cm.

The plugin then searches these processes for the keyword “proxy” to identify the local proxy connection used by Phone Link to relay traffic between the PC and mobile device, the researchers wrote. Pheno writes the string “Maybe connected” to a file in the staging folders if it detects a proxy.