CloudZ RAT Exploits Windows Phone Link to Steal Credentials and OTPs

Security analysts have uncovered a sophisticated intrusion campaign leveraging the CloudZ remote access trojan (RAT) alongside a previously undocumented plugin called Pheno to target Windows Phone Link, a Microsoft utility that synchronizes mobile devices with PCs. The attack chain begins with a socially engineered lure that drops the RAT, which then installs the Pheno plugin to extend its control and data‑harvesting capabilities. By abusing the trusted communication channel between a smartphone and a Windows host, the adversaries can silently intercept authentication tokens and other sensitive information without raising immediate suspicion.

The Pheno plugin equips CloudZ with the ability to capture credentials entered through the phone’s linked interface, including one‑time passwords (OTPs) delivered via SMS or authenticator apps. It also exfiltrates contact lists, call logs, and device identifiers, providing the threat actors with a comprehensive profile of the victim’s digital life. Researchers note that the plugin communicates with its command‑and‑control (C2) server over encrypted channels, using steganographic techniques to embed instructions within image files, which helps evade conventional network monitoring. The RAT’s persistence mechanisms include registry run keys and scheduled tasks that ensure its execution even after system reboots.

Organizations that rely on Windows Phone Link for mobile‑PC integration are advised to audit recent installations of the utility and monitor for suspicious child processes spawned from its executable. Deploying advanced endpoint detection and response (EDR) solutions that can flag unusual API calls, such as those used by the Pheno plugin to access credential stores, will strengthen defenses. Additionally, enforcing multi‑factor authentication (MFA) across all accounts and using hardware‑based security keys can mitigate the risk posed by intercepted OTPs. Indicators of compromise (IOCs) such as specific file hashes, C2 domains, and registry modifications have been shared with the broader community to facilitate hunting and remediation.

The emergence of CloudZ RAT with a purpose‑built plugin underscores the evolving tactics of APT groups targeting mobile‑PC ecosystems. This case illustrates how legitimate synchronization tools can be weaponized to bypass traditional security perimeters and harvest high‑value authentication material. Continuous threat intelligence sharing and proactive monitoring of mobile‑linked endpoints are essential to detect such nuanced attacks before they result in data loss or lateral movement within an enterprise network.